MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
SHA3-384 hash: e8a9b205eb3dc48f9aaa77c6bd6318861a05df94af59233bb95a10ea80713b3548f8e17d4b5fbbea76c14caa6e9205eb
SHA1 hash: be7ec30e394baff5abe3c0f1febea47c3f125c15
MD5 hash: cfd7829cca62b85daa083111c4349498
humanhash: cold-orange-butter-glucose
File name:Purchase Order_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:259'532 bytes
First seen:2023-05-03 06:26:42 UTC
Last seen:2023-05-03 06:27:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:vYa6w+og1yyNlocVzpLj8cGWGPlasSmF1FA1gB7/D2sXpDG:vYmqIgo+j8DIsfFfA107bzxG
Threatray 2'776 similar samples on MalwareBazaar
TLSH T1BB4412096FD2C4A3DAB32B700F32276B6BF9BB1114354D979741DA8E3A7B241CA2D741
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-03 06:27:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fccfcf7-5088-4019-a3d7-e96ba4b7b7bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386201/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82276/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6451feb6463eacbc57dba6e9/reports/843b934a-d4e1-4bd4-b4f9-da146d088f44/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf56a914-2546-4a6b-9386-38ebeab365a0
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225139
Signature
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 22:27:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qh4m4rdltu7bepmb2yl5etgvsmcqx36gsw5hmy3lksgam3yktmpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
Formbook
564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
Formbook
83e90e75eb49fccf0f69331483311ce57f89b33824fbec54e773af910da239a8
Formbook
b36b113a82b932ee2081484ca969a0fc4008c80199c4c8ab1d3f66f12d9e60f7
Formbook
bedb5ef007caf41eb52f0331f1fdf5997271a828df7adb1e1132063129eba99e
Formbook
d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92
Formbook
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
Formbook
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Formbook
+ 2'766 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230503-g7rn6adg87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
1ec556b9804a8195576bd569f55123e08c93406905b7fe66daadc5369d6c2dc3
MD5 hash:
62459803fbeef4fd6a4a096c937f9d70
SHA1 hash:
ec5a7eab356a72fe2da78f15922b35ae1b411ad3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e55962d5-cf75-4268-b81b-c7255db8939d/
Parent samples :
564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
SH256 hash:
67e25baff0b3f7a1c113efcc745954458fec8a4f7a820602e79eac9d292d48c3
MD5 hash:
7534319157a5fee111d00c04db2ae29e
SHA1 hash:
5e2e6995a015088745da4a1a0cb119fadc1c9e69
Link:
https://www.unpac.me/results/e55962d5-cf75-4268-b81b-c7255db8939d/
SH256 hash:
435f8dfa292c2451ae333cceed423d46fba8cce0106ba19f772a531965902d0e
MD5 hash:
59edb341c995788a7a5048bc24359abe
SHA1 hash:
67776e4a36da0654f1ea511e0acafc34bc167f48
Link:
https://www.unpac.me/results/e55962d5-cf75-4268-b81b-c7255db8939d/
SH256 hash:
81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
MD5 hash:
cfd7829cca62b85daa083111c4349498
SHA1 hash:
be7ec30e394baff5abe3c0f1febea47c3f125c15
Link:
https://www.unpac.me/results/e55962d5-cf75-4268-b81b-c7255db8939d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/81f8ce446b9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386201/

Comments