MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691
SHA3-384 hash: d8f0115de12d9b008be4a6f15c1356ee3d59fd5487891a6981a96280df809ab8b0f48e0ce0f947d5b9eadd46a23e2b95
SHA1 hash: 025f5d056b57eb9252fbc522ca6876ec202c6bc0
MD5 hash: b1311ad41536fd0a267f86dff10ae0f9
humanhash: mississippi-kilo-kentucky-queen
File name:SKGCM_YAHYA AZHEBSİ Ponuda proizvoda7.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:252'736 bytes
First seen:2021-10-27 12:39:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:wBlL/coEyg3wCJczganQtejAgC/OP0B0AbZQsWl0:Ceos31ZazMgC/40BPtQsq0
Threatray 11'035 similar samples on MalwareBazaar
TLSH T12F34127772C284E3D5AA87F026734B3BF167A21E4258E95B4B714E7BBB309D3801494B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691.zip
Verdict:
Malicious activity
Analysis date:
2021-10-27 12:40:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e95963ef-2a44-4fec-ab60-ed06b42b9a1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200541/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617948a7db358dd15edfbc63/reports/e3ee1a3c-d87d-4c96-813e-952b1936981a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/981e6247-859b-4641-b0e2-fde8e64ed3c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877739
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510170 Sample: SKGCM_YAHYA AZHEBS#U0130 Po... Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 33 www.cletechsolutions.com 2->33 35 www.certidaoja.com 2->35 37 2 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 4 other signatures 2->51 11 SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exe 17 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\oruvlbgmh.dll, PE32 11->31 dropped 63 Injects a PE file into a foreign processes 11->63 15 SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.smplkindness.com 18->39 41 perfectionbyinjection.com 162.241.226.37, 49797, 80 UNIFIEDLAYER-AS-1US United States 18->41 43 14 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 22 colorcpl.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 61 Tries to detect virtualization through RDTSC time measurements 22->61 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:40:10 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p63skhhtjdkbgbm5ubipe7sm3gsptsudho5rd5ku4glbfudau2iq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19428f9c431fb0f8d6fbd9ca194589bacf9d9d3e475717031373b71982bea2a5
Formbook
21350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
Formbook
5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936
Formbook
7b11c921e5383232009985b5912967978ae269287359f9c1718c2b37e1a067f8
Formbook
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Formbook
ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3
Formbook
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
Formbook
+ 11'025 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211027-pv8qxahbaj/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691
MD5 hash:
b1311ad41536fd0a267f86dff10ae0f9
SHA1 hash:
025f5d056b57eb9252fbc522ca6876ec202c6bc0
Link:
https://www.unpac.me/results/50750d1a-2bbc-4167-9598-7e23f8eb7aea/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7fb7251cf348/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7fb7251cf348d413059da050f27e4cd9a4f9ca833bbb11f554e19612d060a691

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200541/

Comments