MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
SHA3-384 hash: 11d16f640cb8e3992c061387cafec8a559da0e26a1e848be5c13096241d424a4f9b3a65049d9a24991761200e3f46f8d
SHA1 hash: 4d3772c9696ed20667d66bdf1fe300482c8db1a1
MD5 hash: 50f3c43ed43497ee1b222d999104dba6
humanhash: iowa-twelve-ink-music
File name:Payment Swift Copy.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:738'816 bytes
First seen:2024-02-21 13:24:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:NE7fYNuxijXEsS5tONTJO3looAnXYcsPHjQ603Q/nS4Roz68WT4sw30R0MuC2iN:C7fg785mVOcX2DQrqO68fswEOMuC1
Threatray 741 similar samples on MalwareBazaar
TLSH T17BF4238065C54763D934DFF018F241112BFBA8B682A2E26E5FD950DF88727C98AB474F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:bat exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/477289/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65d5f9b8c5e1a083fbf3f4de/reports/3cb9bece-0cb1-494e-b144-73645c0f5835/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d15083c5-de01-49a4-9a34-409e0b9afc53
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1396165
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-02-21 09:06:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5wg4bkfphu4wbbabjixsel3ryl5xxo3bqua5bpx72oxpjnjab4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07e858606138fffa52b802f81ca769f8d24ca1c774aedffc44d70bc4c8682753
Formbook
0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
Formbook
2132f7ef747d47bb65a9525dccacf04e967102d6de055179f80d8cbf62a65b76
Formbook
5c7af580a755c6428982c8e3c8ca29efc031d6897e3d8ff91570acdcf3961fe0
Formbook
66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9
Formbook
ad57f899206fa651ac5845fc8d7dea622b7489308694620aaa8032ea23333b07
Formbook
b7bb528bfd86aea46c414f10f8463641a79e357b26d6b1b719d1e203bfa876ed
Formbook
+ 731 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240221-qnzp4agd87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
9d1dd15d6d37bc34ff7581219f40a1cca57d2b0348b3dbac325b569ba85fb9e1
MD5 hash:
d21fd483215e5ffb13fe266c18d8c96a
SHA1 hash:
e27343879f17444dc9328e93f4d518f560cb3267
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
Parent samples :
2132f7ef747d47bb65a9525dccacf04e967102d6de055179f80d8cbf62a65b76
7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
SH256 hash:
957db6f4e4bc0ad7b724b0c6e17ec54688ac71cfdf4c6ad71642fe8b6c935bd5
MD5 hash:
c58a6a26c3e8e0d8176b63584d44ff7e
SHA1 hash:
f77f2e466c6413eb72fe25752dc8d47b431652bb
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
2f507ffbc01e790b279a0b274ff2457e8cc9e48b661c7bfaa8017be899d1fa1b
MD5 hash:
b3128437d33eed6119034064f1e07607
SHA1 hash:
12b3977bd032dd1ca78dce2032550368a6b6b52b
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
72638f4b30cc9dab51d31216991957bf1cd118b8a8743227b3e8f9c4805f7628
MD5 hash:
2a8240bba06e832ee5d136a0a7e5b5b9
SHA1 hash:
de49d9b33004a4a622a4279b3ee2b3e3e5cd012b
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
a73f6c4257cace31fac966ad1af67ec7345cf945f6ed4cb08ec55dfa340dd110
MD5 hash:
1db3b35e460e37aefa12d1bb46d29ad7
SHA1 hash:
56c55a1cc133ff7c69c7e3a532ddbc65848e4c51
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
ec592062c41d26d7046ab135fbabaf80e69900ba940ca654261cda17109f8769
MD5 hash:
09f7fb78314d30bf7c69d72caa9da978
SHA1 hash:
5536e0f86fe6e36f11e5ba03a8f559675dd82f30
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
42e5bbee4b498550f505c1232326adbf9d5d23c7e90174eb142b4963b879fe7b
MD5 hash:
100a8095e042378d2c227eb0ff37b6d4
SHA1 hash:
32c4a6457d7c01e9e135c3750d571114bc0ef3a0
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
75fd1b0c36a9fb56cb08e426c8f41a230f15079c20fbee432e2a6a51c66ec185
MD5 hash:
09a425469bfec000a43806b2f82342ae
SHA1 hash:
9d5d4016f912fc3d9e5a0d7c03051b0ef2ba4585
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
927673307fe516aa86056e49a8f3c3825d8afb8882b4d403d57bb828a508c5e1
MD5 hash:
75e89997d5221711fc8d5e9b99dbf3e6
SHA1 hash:
8da7774a4c5fe87bad2aeeb3a2be8f910079aee3
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
67fbdeecc1f98e90da9dd640e4fea7dbf08c32322aefa52541ec8416790c5b85
MD5 hash:
0b0a17d110f9445cbc05ff3d961aa9f3
SHA1 hash:
8a36bedc700595abcbce83d9602b9895e1682512
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
5af964bcec92bfadb951113d42d17a2e5044379b1a4308ae0080d03c776d2ead
MD5 hash:
0829298d1acbba0f6471cacd80330436
SHA1 hash:
812e0b06e7ee69c7c146ba3f41e7d8f1af16614b
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
b078589287f6017e9a4c74b74a36fb1679e66e67b73cc24e9359a2c4fc691ab1
MD5 hash:
1f92b47f8185804f2fdcb44d3a11cc25
SHA1 hash:
2131adc8f400b4a21bc831c3327935678737143d
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
a0f6f3112da707bb2b5a1ac43c6a5c32147554ac1e8f4f9e2616c363c73fbe8a
MD5 hash:
d601bfb1e64dd72abf247d42e3bd34c3
SHA1 hash:
0c1c71e13f36b238100d99f4b5029d1a46e530dc
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
SH256 hash:
7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
MD5 hash:
50f3c43ed43497ee1b222d999104dba6
SHA1 hash:
4d3772c9696ed20667d66bdf1fe300482c8db1a1
Link:
https://www.unpac.me/results/31e80f6a-bffe-4d6b-9cda-7e4488e3ad51/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f6c6e054579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/477289/

Comments