MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842
SHA3-384 hash: 4575c38397ddea40afa631bc2c16b1ac1149ff02c4ea04123a4ee4e3572cb13a0d2e669735659311eff43f2a0014e647
SHA1 hash: c263503d32c1a2f78b246ca5157d5684c1b273c8
MD5 hash: ae68bab11d840d137d0bbc43cdf39300
humanhash: california-bakerloo-charlie-item
File name:PO09241115.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:806'400 bytes
First seen:2024-11-14 08:32:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:JOQCJVMj+1/GPyKEZwiNrOigGCk2XQfO:2aq1/GPjEb+XA
Threatray 19 similar samples on MalwareBazaar
TLSH T16A05F1407AE8AB26E9BA57F00032C27007767E5EB824D30E8ED5ACDF3C26F455955B53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6075.31402.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6735b61b0552fd58596bc78b
Tags:
virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/38f8eda1-5452-47da-9f3e-af9c39d5d960
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1555671
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842/
Threat name:
ByteCode-MSIL.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-11-14 07:19:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtt3gb4qyfi4tnxxrdh6i3papz7o6hx3jfhkl456kjif5gnz5bba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
04dab42e8f694a3fac6b3ea2532462e89e9118c928545710a872d34874376a49
Formbook
0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
Formbook
7b70d479034f458a6b695cc3c8aefd50c771ec183b749276aa66d18a6a33466c
Formbook
84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842
Formbook
b8d4c86463b945f866e0396ecf65af0e67e55224eecce97b033e25e816eca01e
Formbook
c808c0c3fa3065742e408db2529ec659ccfc81c4bcff0b58020b3387d292e362
Formbook
cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
Formbook
error
Formbook
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241114-kfvtaawfpj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a18f9df-8915-46f7-8110-84d76951e21d
Unpacked files
SH256 hash:
7471324b1d5daf7d9da1eb99ba8dd976e1c707e16aab01e0d6dab5b9adf96b22
MD5 hash:
bee669d8b16adbda77f6aa5ba684d1d0
SHA1 hash:
8770331d351f1207f7bde73d3328e293787b1d97
Link:
https://www.unpac.me/results/0eaf3f25-03cb-45f1-ab9b-2ad7c8e78580/
SH256 hash:
b4ff833ff7081c3016a408d7f8c761efe98d9da9737698063a423be452e93a1c
MD5 hash:
bdad1b1a5bd07e9596495e4d1d01d8e6
SHA1 hash:
035d31bc41f23a2c70675277d1e4e3fb162637e0
Link:
https://www.unpac.me/results/0eaf3f25-03cb-45f1-ab9b-2ad7c8e78580/
SH256 hash:
093250c615269860e2aabb8043763fefab2fdd13a7dc57f67d2b062a989f2189
MD5 hash:
e53f93e34f822b88d16ef0bccf01bb50
SHA1 hash:
0dedf769f70aa4e4c9dfe9bfc5187b483c1acdd1
Link:
https://www.unpac.me/results/0eaf3f25-03cb-45f1-ab9b-2ad7c8e78580/
SH256 hash:
5561c3c407ede581f6393c9df1be2343978cede632e7bc0f7ad2555eac14e24a
MD5 hash:
cc9b8e156fcfe3fa5c9cff792fc56d16
SHA1 hash:
047333d1ab14771ec8c6026532e3c7aa7b25d92a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0eaf3f25-03cb-45f1-ab9b-2ad7c8e78580/
SH256 hash:
84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842
MD5 hash:
ae68bab11d840d137d0bbc43cdf39300
SHA1 hash:
c263503d32c1a2f78b246ca5157d5684c1b273c8
Link:
https://www.unpac.me/results/0eaf3f25-03cb-45f1-ab9b-2ad7c8e78580/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84e7b30790c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 84e7b30790c151c9b6f788cfe46de07e7eef1efb494ea5f3be52505e99b9e842

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments