MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0
SHA3-384 hash: 234a8e396880d88bcb9a46d3edf1a5700a32667ae52b97de1801efe522dc68efdadb52d822e07809d44fc6142605753e
SHA1 hash: 069d6d2395ec518d0156b6d02519d3b8e896e5b5
MD5 hash: 22b365e10dd635468212251994b194bf
humanhash: juliet-aspen-echo-east
File name:FEDEX TRN 771893954554.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'341'888 bytes
First seen:2023-04-20 12:54:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:iB26eZ4fTPkhZ2PAG0pMn6+YZ8IOxSD68Q81Zr6kNefAd/YK2HzQX9Kub+YSgrBK:Zhhj+EbjDE81R6iY7O
Threatray 956 similar samples on MalwareBazaar
TLSH T131B5AF370EB2FEE2E7A44A7FED4235941DACDDF74B1DB206388C30A90DB865499059E4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
FEDEX TRN 771893954554.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 12:57:58 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/17e092e6-6a50-4f6c-99d8-4927eadc0d57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383771/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.29570.187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64413629cf53491c99888906/reports/2c70f8ea-3abd-4abc-a2ea-7a1898d1b391/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2964626d-0d33-40d6-a472-3ead2ee96ade
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218027
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850972 Sample: FEDEX_TRN_771893954554.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 10 FEDEX_TRN_771893954554.exe 1 5 2->10         started        process3 file4 51 C:\Users\user\AppData\Roaming\...\Vmfdofz.exe, PE32 10->51 dropped 53 C:\Users\user\...\Vmfdofz.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\...\FEDEX_TRN_771893954554.exe.log, ASCII 10->55 dropped 89 Encrypted powershell cmdline option found 10->89 91 Tries to detect virtualization through RDTSC time measurements 10->91 93 Injects a PE file into a foreign processes 10->93 14 FEDEX_TRN_771893954554.exe 10->14         started        17 powershell.exe 16 10->17         started        signatures5 process6 signatures7 95 Modifies the context of a thread in another process (thread injection) 14->95 97 Maps a DLL or memory area into another process 14->97 99 Sample uses process hollowing technique 14->99 101 Queues an APC in another process (thread injection) 14->101 19 explorer.exe 4 2 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 57 www.boosthacknet.com 160.124.149.62, 49696, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 19->57 73 System process connects to network (likely due to code injection or exploit) 19->73 25 Vmfdofz.exe 2 19->25         started        28 Vmfdofz.exe 1 19->28         started        30 control.exe 19->30         started        32 2 other processes 19->32 signatures10 process11 signatures12 75 Multi AV Scanner detection for dropped file 25->75 77 Machine Learning detection for dropped file 25->77 79 Encrypted powershell cmdline option found 25->79 34 Vmfdofz.exe 25->34         started        37 powershell.exe 13 25->37         started        81 Injects a PE file into a foreign processes 28->81 39 Vmfdofz.exe 28->39         started        41 powershell.exe 28->41         started        83 Modifies the context of a thread in another process (thread injection) 30->83 85 Maps a DLL or memory area into another process 30->85 87 Tries to detect virtualization through RDTSC time measurements 30->87 43 cmd.exe 30->43         started        process13 signatures14 67 Modifies the context of a thread in another process (thread injection) 34->67 69 Maps a DLL or memory area into another process 34->69 71 Sample uses process hollowing technique 34->71 45 conhost.exe 37->45         started        47 conhost.exe 41->47         started        49 conhost.exe 43->49         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6ny7tcspubom22j25x7kiux22o36i32rxkdil67h5e2ege4m7ia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
Formbook
2fb0a24e905687a5443fbe50d21033e4318da3275260bd82d016a9af346bb09b
Formbook
65862cbf4192b68d8d687b05a2265876f35d6c0f7ae9e89bd1c5fc3d4800d505
Formbook
90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759
Formbook
9109abb56656edc911dedea5b9453aab1b47f79567ee48cc825358751f91abea
Formbook
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
Formbook
be289dc615b1aaf7535a509e05f3786b743ae23aaa5bd39ee00ddc98160ed53c
Formbook
bf03cd8e5554ec62c98931069f436ec71ac21d57a8922b1bb3c1958a0a9256f3
Formbook
+ 946 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oa09 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230420-p5r6xahh94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
7181f235e6e3307786ec3d2c78b3ab9dc2923261d1825ee4a15e97156074a891
MD5 hash:
f005b422a3b80d5b5f0926ee13579c73
SHA1 hash:
abfbe1c95eeaa3ba712897a5acd9c6556b20b2b1
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e37602cd-496a-4dc9-a06f-0cf100895973/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/e37602cd-496a-4dc9-a06f-0cf100895973/
SH256 hash:
d9b2b3ae7488bd51294411d143510bc913b858b1f8a0fd4fb7317c856495883d
MD5 hash:
d6ea314daabd5025355c5dc91214215d
SHA1 hash:
b56c22e0abfd9029ee2b8f84a7cb813e234c0225
Link:
https://www.unpac.me/results/e37602cd-496a-4dc9-a06f-0cf100895973/
SH256 hash:
7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0
MD5 hash:
22b365e10dd635468212251994b194bf
SHA1 hash:
069d6d2395ec518d0156b6d02519d3b8e896e5b5
Link:
https://www.unpac.me/results/e37602cd-496a-4dc9-a06f-0cf100895973/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f9b8fcc527d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383771/

Comments