MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
SHA3-384 hash:	8955294098c448f55029485ab136cd1e9a2b13e02f63346e8dbbcb4f40ac0d85f139c25dbea0d0cd9667ad7078199729
SHA1 hash:	a62493a29bbf11eb89f0c5e88941b4589d6be344
MD5 hash:	8edc42a2925f2e7b89017920bba0692b
humanhash:	north-december-bulldog-undress
File name:	PROFORMA INVOICE PI160256.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	679'424 bytes
First seen:	2023-05-25 07:23:35 UTC
Last seen:	2023-06-05 13:50:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:RWVtPplTY6RhKuM7FKIIUnRhxUHzbuMD/6XONXSW4blGZxdtQYDoF6:cVJTDEP73nRhxUvXDPNXSWmlOtQYX
Threatray	2'932 similar samples on MalwareBazaar
TLSH	T1CDE401407A6CEC67C4AACBF805185274533A5AA2B962F3CB5DF6B5CB59C6BC103C48C7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PROFORMA INVOICE PI160256.exe

Verdict:

No threats detected

Analysis date:

2023-05-25 07:26:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39487af1-22ed-4563-b6fe-0e1956c0c2ee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/391411/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67205588.1905.23320.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/646f0d111d162541e4be85f2/reports/a0509174-06a1-4275-913f-794a572940e7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4246c154-ffa0-4a29-9d5a-1bafd530947a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1242830

Signature

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-24 12:46:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6ugrsiig5gzusaqdp4o2jvs6ldwe5zvsqig6f3l2tfcpgursmwa._file

Verdict:

malicious

Label(s):

formbook

Formbook

172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357

Formbook

571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d

Formbook

70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1

Formbook

7417cbf823e1318517ba9b0f02ce10a5b75cd778cde237dc4e4f32f385521617

Formbook

801d576bb23bc641913bc54199377e1f87d43360086202b42834eabb44f6fc19

Formbook

833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa

Formbook

a0944a8143c9b1520e9d4c27ba2a6699eafc3352c7fecee0039ab0f410b047ff

Formbook

a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9

Formbook

d9880865beba3895d3079082b5e59ab582559e1ac49aa21a2588db39132a5246

Formbook

+ 2'922 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230525-h8cr3aha9v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

f1fcce7a0b22d9d87cc0393d6ddd052c8d2a233435e769771144e8ffd87beabc

MD5 hash:

55768e9cd2597b4bdb71551c4c266dfa

SHA1 hash:

62a7af356b42a915791b4f3150876b1258f78470

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

Parent samples :

57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
3c7d0885dea33735ccbe857a343fbb7f66a0f03a3e91e4f677ba880b7b670216
4500eda0f4d1cf716592b3e4d2576df69c3a68b585c6de4b560452454474c831

SH256 hash:

775cb3a191a4e3885de59395c77514f70202f0772a9a85530691eab441329c48

MD5 hash:

f514a3784e3d600a27180bf905cf09db

SHA1 hash:

e40e5c2f2a2aa08e927a2a55487a9bef26ca0946

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

SH256 hash:

19e280cd411b20d50beb94896918b61e25e10b27518efe608283a2ac62a8113a

MD5 hash:

b147756c3883e2c0c3635b5c0d75ffd8

SHA1 hash:

60147b9e00bbb956d79ad93ca0b04cb6f309ca96

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

SH256 hash:

a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb

MD5 hash:

de906fce89f615f303ddfb80c1b37b35

SHA1 hash:

3568e3f9f0731da9a3294f4f8de61f95dc3eec31

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

SH256 hash:

b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4

MD5 hash:

7b6143d9d94c8b80d191b77d8b6d1ba2

SHA1 hash:

1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

SH256 hash:

e084916e557fb4ce2b08938a4ecb7c78fb0a06b844a24f73b14ce452a5cc54fb

MD5 hash:

cf0b0c694faf2254940a33f69d97ea3c

SHA1 hash:

093ad5411380b11fc01d7285e98b5ad21f478274

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

SH256 hash:

7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c

MD5 hash:

8edc42a2925f2e7b89017920bba0692b

SHA1 hash:

a62493a29bbf11eb89f0c5e88941b4589d6be344

Link:

https://www.unpac.me/results/aad8c834-0a3c-45e2-a45f-f9052763626e/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.