MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
SHA3-384 hash: 449bed8dd06aeb0a2ecf2368856570795b54af8fbb3c938878dcaa8401fb0e4ae14017c1f1b8929316009db15a6c2296
SHA1 hash: 8b7f8ee3c5672015d31221307bfcd24aa5a92cfb
MD5 hash: 13b2e22fe1f86ae73f2b2c3f71da3063
humanhash: lithium-purple-nevada-hamper
File name:COMPLETE ORDER WITH DATA SHEET.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:620'544 bytes
First seen:2023-09-20 08:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QQlexrzkdgO/cfHo9+g2pzqK4CBaokp3bXG:dlexrzkKOt9+vgdCBaokpLXG
Threatray 35 similar samples on MalwareBazaar
TLSH T1A6D422143BA44E5AE11D6F7D09701A5163B19697BC62C3D4AEC2F0EB0B5BBD2C22374B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 886443434b83cbe2 (17 x AgentTesla, 7 x Formbook, 4 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
COMPLETE ORDER WITH DATA SHEET.exe
Verdict:
Malicious activity
Analysis date:
2023-09-20 08:41:56 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/5e13d89c-22f4-4a1d-adad-c97503cb890e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449978/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16098.28476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650ab022f1b40cb0d61f213f/reports/3096d9cb-3723-4be8-bd1c-7cbc5beb6f28/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
shellcode
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33ba1da5-826c-4fd1-9c47-49176c802be7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1311421
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1311421 Sample: COMPLETE_ORDER_WITH_DATA_SH... Startdate: 20/09/2023 Architecture: WINDOWS Score: 96 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected FormBook 2->22 24 5 other signatures 2->24 7 COMPLETE_ORDER_WITH_DATA_SHEET.exe 4 2->7         started        process3 signatures4 26 Adds a directory exclusion to Windows Defender 7->26 28 Injects a PE file into a foreign processes 7->28 10 powershell.exe 21 7->10         started        12 COMPLETE_ORDER_WITH_DATA_SHEET.exe 7->12         started        14 COMPLETE_ORDER_WITH_DATA_SHEET.exe 7->14         started        process5 process6 16 conhost.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 08:41:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pugulsvf7msp56blpk4tf7h2sb63cyw3bz7iehj23tcfp4yhms6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
105fef1d5e42006e1a9da8c9dab3cabc11909658755c931db357ef6743ed15dc
Formbook
1290bedfe236cb0894d63d8ea46b115ff26bd7694a16ae290fdcbc91291096a4
Formbook
63b59f1390003e44ffbd4460d2b6811586b1aaaf155a64186397002160b370c6
Formbook
8ceceb731a2c09d552835ade18b92d47e10e24cb34cdb4954b1a97905fd10b29
Formbook
a3ac1a13b363264a45374dbc9a485e19f80d71cefa4f3cb72a902d46c667330a
Formbook
a81a0d29652f5c3497d905b124fefc89e7149f61c87b2198872c4dbe8f0c0048
Formbook
efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
Formbook
f031fa03b61bd7a49d1500d642e46b4701c6ed40f34a3dc063c4404c7fd5de95
Formbook
f93a11630922fd15cbee49f2d7b94a2e9ba7805c333ec30088b46435455027d5
Formbook
fd39da24e0cecd5d485b4242854f6111a89b0a9359639a1c3c0abb87b75fffb1
Formbook
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230920-klez1sfb6t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
72f9dc928a8d097a8c8197d68213348cad5a0a2eeffd85205904207691d04b23
MD5 hash:
a9aa729878683b265201cb85ed9d9f34
SHA1 hash:
25cc0c8631edf703a0d86af0942d5d1956b569d2
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
Parent samples :
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
f6394ccda408715ab66bf77857cec9151af093ea62dd137851c274cab11b4acf
SH256 hash:
58142cb87448a671eb30191c7910084e4ae4c71866ff9e7e59345649c2adee73
MD5 hash:
115a128c3cc68e98bb77e271618ea672
SHA1 hash:
fa61359ff396ccd4f643f8fd406b1efb419f57d3
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
429b5d635d118d7bb1d19cd0f793449a8f01847e4518d8e532945978b34d1304
MD5 hash:
b9ded8fe4fd75e6aaa3d739cd730dbdf
SHA1 hash:
ba40f9ace10ef9aae418b5266449822cbe722de0
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
f81eaa1abe14620a12d66f2906fb74536570f579489befc12d985b2483d17ff8
MD5 hash:
6a1985480d88415dab4af9e77965933d
SHA1 hash:
36ac47cd70012c3057281fed60665f59cdacf28c
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
61a4eba25269321c979a4c4780cb26e034f76b59da03a1fadd9a2fc8a1a4c51a
MD5 hash:
46a632138716fa224691a345130b6bcb
SHA1 hash:
20d3b6ad1e63a90c1f5754826043ecea28b5436b
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
10f8569d9b8e0f70bedf1733a158a17b53bf2b351cd2fc503382f63783933480
MD5 hash:
ada0566a8bff488b303859cc9c1868e1
SHA1 hash:
f719a8a2389e62921d78069e746af62a2c235279
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
1da9fbfde4f74c700911805f5568a4fce8958e72af33302a50f109c4b6f645df
MD5 hash:
b4e0bac0e20e87a77c8ccb427425a2aa
SHA1 hash:
e1a9807097ff7e2eeee14cfe532504bdd9c102da
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
0cda8b933039c50ce2b11575f6480ae62c576ed4156101b10592aa25795f3876
MD5 hash:
fe81d1b4ec36d9bcc157e4985d87d2e2
SHA1 hash:
b0610f097dcc58a35496bf697fe9d76a7672ce0e
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
81db2615aa5dc88d453972ceb252127ebcc35a7ad1396f3b33df24aab18c333f
MD5 hash:
c7c038c1e69d9f3962d5123a4c37408c
SHA1 hash:
9e779ccc1f6ad4f7b52d9dbc454cd473b362ac8e
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
86defdcb1f715dfe2f0be5608828daa9208a601420614c22c946bff9f8b63bc3
MD5 hash:
3201ec3c29eb8c9374114d3e0deb27ba
SHA1 hash:
9c0f655604ad55d571de9a3bdde6c6cec7ac11b9
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
6c083b9e02764a2fc3d5386659595acd884a30e8c096845f0cb71e68156d5e7e
MD5 hash:
591ba3a6129d17c53ebaf2b58ed0e5d5
SHA1 hash:
51d128ab8b18c55b15560b09745a7ce2c05a9830
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
SH256 hash:
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
MD5 hash:
13b2e22fe1f86ae73f2b2c3f71da3063
SHA1 hash:
8b7f8ee3c5672015d31221307bfcd24aa5a92cfb
Link:
https://www.unpac.me/results/91daef69-91e4-4dd5-94b6-76543ddf3e3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/449978/

Comments