MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a
SHA3-384 hash: 1fc5f72fbdc326be9beb714ee927210477bd360862e7964baf76d406ca8ee134099a5d0a64d6c8ff2712e838e4d36f54
SHA1 hash: 7cb038c7163edefcd7d3aec0e57991cac45c07a2
MD5 hash: aee46516e3c3cf8682cf1594f04fc8cc
humanhash: alabama-mockingbird-whiskey-single
File name:Signed final agreement.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2025-01-28 05:41:27 UTC
Last seen:2025-01-28 11:16:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:g21d2kXfSTMNbw1HoxbUHgQfYiqo5IJLR:nE46TMNbw1cUHbqL
Threatray 192 similar samples on MalwareBazaar
TLSH T1F005D0D13F26731ADEA96A35C219EDB592A51A78B0047AF766DC3B5332CC112EE1CF00
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 66e69a98a2cada92 (5 x Formbook, 3 x SnakeKeylogger, 2 x MassLogger)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
599
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32081.22240.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6798706409fca627796384b3
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67986e2bff3580ba7f0ce10b/reports/4d664c32-10c7-4ef8-a0ea-18d67b855e05/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc25d890-74d0-4c7f-8e8b-2375077af4ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1600990
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600990 Sample: Signed final agreement.exe Startdate: 28/01/2025 Architecture: WINDOWS Score: 100 30 www.fz977.xyz 2->30 32 www.031234990.xyz 2->32 34 17 other IPs or domains 2->34 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 Yara detected AntiVM3 2->48 52 3 other signatures 2->52 10 Signed final agreement.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 file5 28 C:\Users\...\Signed final agreement.exe.log, ASCII 10->28 dropped 13 Signed final agreement.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 tYI14ywgi8WexKDk3reK.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 secinit.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 tYI14ywgi8WexKDk3reK.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 031234990.xyz 144.76.229.203, 50033, 50034, 50035 HETZNER-ASDE Germany 22->36 38 www.fz977.xyz 104.21.16.1, 50045, 50046, 50047 CLOUDFLARENETUS United States 22->38 40 10 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a/
Threat name:
ByteCode-MSIL.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2025-01-28 04:16:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7gijfuccs2xxlefqoxnrunbhtqfxctxftezpr6454livpdqx4na._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
12bd2e88e60fb4e93881164b51c270121034f7ed01bef4ae0741abd8e532d77c
Formbook
44c3fc308875ed0c6fcf4a10068e2790eb3397bb441b38ede833361312f74997
Formbook
4ad59341983721e993d8e08ed447a71481b01e0b6afa50251ae312cee4b17805
Formbook
7c3a286e6c2a9e2b50a81e67dd03ba27e6dc6fa7bc87f45d0e51056252823cc1
Formbook
804cb8891f2829caf32366e9efbbeedd19eab55288ca94702d1c29ffded6d463
Formbook
error
Formbook
+ 182 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250128-gd1d7szjam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31a2cc7b-1c95-4535-a953-8a46fefdfd05
Unpacked files
SH256 hash:
fef13db230d52659fe41660c66f9200b7355035ed3dae63d7bf60ebfb28d739b
MD5 hash:
e53517b4abf530330e218e2f099afa65
SHA1 hash:
875d6361a4c0fb31b7cbf26cbf3d7249c8b0b32a
Link:
https://www.unpac.me/results/76247551-7797-4dc1-867e-10b4a18918e4/
SH256 hash:
e8044f63acd1c3c9fddb084d2b58532119d2a69951fac1501d7cd05d8ba1df5d
MD5 hash:
edeca737824c0165209878705bc1438d
SHA1 hash:
953afa000960ed6635fd003f2748cf71cad6351b
Link:
https://www.unpac.me/results/76247551-7797-4dc1-867e-10b4a18918e4/
SH256 hash:
02fa75fe93dca6bd94540dd6b4c613aeef86b030a4fdcee6dffce9d15c5268f7
MD5 hash:
2dd8007a185909d4c199b96c9ecd8644
SHA1 hash:
8e2cfb7bb693b8dc332ef522f430904c1f6e404d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/76247551-7797-4dc1-867e-10b4a18918e4/
SH256 hash:
61e8f7f9b84d852175b992f8c488dbfe13a299e66c2bdfea5b40a618e9b3c782
MD5 hash:
865136097ff65e2474feabacab543c53
SHA1 hash:
0686e67678adcbc1b7a21d7d791eb91f7ea564eb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/76247551-7797-4dc1-867e-10b4a18918e4/
SH256 hash:
87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a
MD5 hash:
aee46516e3c3cf8682cf1594f04fc8cc
SHA1 hash:
7cb038c7163edefcd7d3aec0e57991cac45c07a2
Link:
https://www.unpac.me/results/76247551-7797-4dc1-867e-10b4a18918e4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87cc84968214/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 87cc84968214b57bac8583aed8d1a13ce05b8a772cc997c7dcef168abc70bf1a

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments