MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5
SHA3-384 hash: 336e1c31237e6cbfadd4497ea7efa364266ee0b67c7e3d4970e854fffdeb21ef9ed02d214a15ec91cb1df32c85aee87f
SHA1 hash: 3c3f99f9319e42a3e2f25c28714c060b29c56a30
MD5 hash: 9870e92d2865d48074d599e1dcd7001a
humanhash: mobile-leopard-equal-network
File name:PIqLeJRHKnukIQd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:861'184 bytes
First seen:2023-12-04 15:21:29 UTC
Last seen:2023-12-04 17:30:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:xfYNr4R9cxP45+po2duWdKxMCnjlSH9f8rGij/UBT/p3o6VoYwRtPmrS:Hck+pJddduNnj40kT/xoK/wRVm
Threatray 494 similar samples on MalwareBazaar
TLSH T1B405E00562F51F19E47E67F58294020047BB7B9A613BE35C6EC9E0D72E71B020E1BB6B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462393/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.29151.6505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656deec4da3178d99cd70b86/reports/b38ed204-5540-41b3-9a1f-e3427d793965/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c046624-2813-4ae8-85a6-3041cb25ec5a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353288
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 15:22:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
13 of 22 (59.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5ciq6que4jwnuu3fowlb5efo5k3saspxorvrii2wrdsusmlhwsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22831628191c902a9ecd0b30822a80fd61cbf32ca11996cc77f3faec57a2f750
Formbook
2adf12374473a7fd42a48cd30a1e59f4668ac77b82e4b0c02ffd498f57f0520f
Formbook
66af663670d7633a7f060c1d6d49d27d9e3d708b955e3c3a77be760f3c6e9099
Formbook
6de3ca2658af9f752d06492509b21dbe3862fc018270f56d5a2894cb6e5a1e7a
Formbook
c88aa06f7f7d22f3a6c66c84bf6aafd8838357d02d2287bbbcd61fb21264dfe4
Formbook
d149fc6adc07ffa848eb414438af0bb68cee6b0f3d7c4fe5dc919e7f5182bd27
Formbook
d76f0bd5be27187672f2b89be93eba20033cadb397398143bfe6f81d8ef4d9dd
Formbook
+ 484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231204-srwhysca94/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
abd2c3b0039dd1421b0bbd768a3cd42bcca1294869f97d14786a073ec8efdba4
MD5 hash:
4f33a1890424258da5adbf36d6192925
SHA1 hash:
2ad12a7c79ded8fbb46116c4a3443a1d7d8713bb
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
Parent samples :
7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5
5a62ce1ce44bcaed2a0fddb1aadfa7bc0fcc3a63eadfc0016fb4038975bf4ebe
SH256 hash:
68c9d3637edc94c4009897287748464224fed3a919eace887d6976083536650a
MD5 hash:
a13f9af4b39257823f5a7da3c64b219f
SHA1 hash:
b3ed93845fc4817d35befeacaefb2e4fc1bc8901
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
a41ac40d0a8dd9296583fe6d2cab50f90bf2268e5e28b4687ca2af55a8be91e4
MD5 hash:
bf1994c96124235cfa2f7714578ac1b2
SHA1 hash:
c788c8cc947b4e92d59cc0d28437b1f9bf3a6246
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
0e632a46a8f54a2d0d277035b83df6e626ccdbee60b422f675f93f863e58666b
MD5 hash:
b306e84f5926d3fd89812e3737ebde95
SHA1 hash:
592f9b8fabacdd9480cc89d90254b1c63adcece2
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
ec739d6d5e726553e7ee2d957dcf3c3786f4ca18d1f57023ccd27320c69e0900
MD5 hash:
f09922bd022dbe972ff70bb150e27f81
SHA1 hash:
2d0d1ba1b8326eee5d4ee5e8bf4d060f7eeb2f3b
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
63228661851a17087b2043e72fcba46cb9d7f64255ba6194048f7c9827642c66
MD5 hash:
1b4dde0f0850667993c238137b369d8a
SHA1 hash:
d8f6caabdd064c43a3a2318a1d73bdc24c1b6110
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
917978a57c81d6ee1e89c38ff08ae29b57dfc5af082066c4f34fadbea5995c9d
MD5 hash:
3074bca6e0280890e7cb0d6a8c7ef043
SHA1 hash:
d8f3115e06d9e328622f5f5ff95f5e3306c16fee
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
71b16873eddc63a152505d7d50dd0e53dd8787ddb451d22f19e80d6790b9cd2c
MD5 hash:
c5bed1e9a0f4bafe8f9d08a1e3687ff3
SHA1 hash:
60fc60ad8bb00a4f74fa29d800d7fccd6e2645e1
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
aca48b767a33c8e2e9854ac212d2512e162154995ccea74511d731a9a738efe0
MD5 hash:
0222afd0838c19139eb26de3225bc75a
SHA1 hash:
5ec19c615cff47ce2b4c9502959672c6d62e8aa3
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
95dd8fbf041ecaf7c382b31ba9fe0dd36a1ca6b3100f7658bd8c0ab5b0237bc0
MD5 hash:
3c3517350138b8acd3b1a67848142e76
SHA1 hash:
0612d2605939a11b07ea1201fb80e7403fb4eaef
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
af87bb8fd71609976939007ca8c53a4635d583a2dfee0661231207d1e0352e1b
MD5 hash:
f4d62123d0196a3ee728d276e59d0c45
SHA1 hash:
04ce03ce968fe975a5f00e4c69f2c9388df562b4
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
SH256 hash:
7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5
MD5 hash:
9870e92d2865d48074d599e1dcd7001a
SHA1 hash:
3c3f99f9319e42a3e2f25c28714c060b29c56a30
Link:
https://www.unpac.me/results/1a21aaa0-f4a6-4cd3-b7e4-4321a9ce24a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f44887a1427/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462393/

Comments