MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba
SHA3-384 hash: 065375cad1945c850fee890a47ffe2a4c56fa92ccc2e79e2d6ff4364664d0a5a676fe584044c4aac29ee1862f58d270b
SHA1 hash: 0bc8f8641ae342068b835fefde3a988ee967e76c
MD5 hash: b557e86426cae7435e219702245c096a
humanhash: sierra-lactose-indigo-steak
File name:PURCHASE ORDER-6350.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:948'736 bytes
First seen:2024-10-07 08:12:03 UTC
Last seen:2024-10-07 08:33:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:8tHUbOzOSPUOval4ImjXk0cnD+FL1Ditg:8tHUSOSPZal4ImjXk0A6N1+
Threatray 173 similar samples on MalwareBazaar
TLSH T1B015E01862A98F05E4BA47F45A24D27447B57C9E782AE34E4EC27CEB3D737024F46A07
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER-6350.exe
Verdict:
No threats detected
Analysis date:
2024-10-07 08:45:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c42d82e-7ae6-4625-a107-20d7a0dd8573

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.31403.31616.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67039811b932c04ee8fdc211
Tags:
Powershell Msil Hype Onli
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/670398134f53598f149288bd/reports/65940617-1594-4da4-bc92-8206a36d7770/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/766e5427-669a-4dbf-846e-6a426f7232c2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527821
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Uncommon Userinit Child Process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527821 Sample: PURCHASE ORDER-6350.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 32 www.suarahati20.xyz 2->32 34 yu35n.top 2->34 36 23 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 9 other signatures 2->52 10 PURCHASE ORDER-6350.exe 4 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 file5 30 C:\Users\user\...\PURCHASE ORDER-6350.exe.log, ASCII 10->30 dropped 64 Adds a directory exclusion to Windows Defender 10->64 14 PURCHASE ORDER-6350.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 66 Maps a DLL or memory area into another process 14->66 19 kimQGJLnElqx.exe 14->19 injected 68 Loading BitLocker PowerShell Module 17->68 23 conhost.exe 17->23         started        process9 dnsIp10 38 agilizeimob.app 84.32.84.32, 50022, 50023, 50024 NTT-LT-ASLT Lithuania 19->38 40 www.pofgof.pro 209.74.95.29, 49965, 49980, 49996 MULTIBAND-NEWHOPEUS United States 19->40 42 8 other IPs or domains 19->42 54 Found direct / indirect Syscall (likely to bypass EDR) 19->54 25 userinit.exe 13 19->25         started        signatures11 process12 signatures13 56 Tries to steal Mail credentials (via file / registry access) 25->56 58 Tries to harvest and steal browser information (history, passwords, etc) 25->58 60 Modifies the context of a thread in another process (thread injection) 25->60 62 2 other signatures 25->62 28 firefox.exe 25->28         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba/
Threat name:
ByteCode-MSIL.Trojan.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 01:05:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2xhvhxjpisl426qhgczseuiocewyc4mbh3drqjdsqpaspkmx65a._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
5565d238feb8a0e52f4185f696eac6e4d817d878ca99aab4ab16a341b3c828ed
Formbook
a2e0b264504e6338c455b6227e85273903c8f1f901809eeaaaec9e917ffb09dc
Formbook
f30297ce3c8bc97f49286ee0c14b241d6653a2e992de11213aa25a296ab485cd
Formbook
f758dbb63208445f8ed1f1d8bb648759ba6f1b8116b6ecd2ef996f8be008128b
Formbook
+ 163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241007-j3zv3sygka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01479085-2791-4f81-b565-48bc352d48ee
Unpacked files
SH256 hash:
e4c7d5efbdd960f66e0c0b8c4cf65053d4fca50bb5d5391c4340dd9a8f04ecec
MD5 hash:
bd59cf7b1e5036a83fc0a60061bd7ade
SHA1 hash:
bed8f04706d218fb95e4a3611a7004c76b6ba19d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/129c5d08-0696-4ea6-b018-f0310988ae58/
Parent samples :
557195c150cfc25ab58399c7067bd4abf90afa511b68c5ad6bddcc829e1455b0
405f4016376e02c97d8509d2627c7bb3be0583f46aa5a1ea57d96252b759f1f9
84d6ace5c1e4f08f38bc1fb749b7f06e6eb7750e45d6b97b61ee08483ae8538b
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba
SH256 hash:
91e1f1fcd38f4922fb63fdf0dd76d98cc255fd9f6146d0c8c2d679d752eb79d3
MD5 hash:
5946625d1dac8427d589352d8ecd5cbd
SHA1 hash:
af0e7a570dc0d6d273b7c3dc214ebc1fefe3a334
Link:
https://www.unpac.me/results/129c5d08-0696-4ea6-b018-f0310988ae58/
SH256 hash:
68208707fd10980abec23656822659e3723650823702c9ad7656b690c092aeaf
MD5 hash:
67f83cb1e808ae56bc08b6e549647155
SHA1 hash:
276784d491c6e907ce83c540f57411e083d66023
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/129c5d08-0696-4ea6-b018-f0310988ae58/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/129c5d08-0696-4ea6-b018-f0310988ae58/
SH256 hash:
86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba
MD5 hash:
b557e86426cae7435e219702245c096a
SHA1 hash:
0bc8f8641ae342068b835fefde3a988ee967e76c
Link:
https://www.unpac.me/results/129c5d08-0696-4ea6-b018-f0310988ae58/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86ae7a9ee97a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 86ae7a9ee97a24be6bd0398599128870896c0b8c09f638c123941e093d4cbfba

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments