MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04
SHA3-384 hash: 7f7bb1746e7ce2e53881e01540629bad2b1247fdb1bea6d9ccb04c4ce35d79284e1ff9fc9b2bece9787a6df96c023ee1
SHA1 hash: 34924a324da597c6df88b1719af7907fd2f6df73
MD5 hash: 009a24792496f65b834a3b8d2ed97c97
humanhash: fifteen-carolina-ten-three
File name:Nossa ordem.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:614'912 bytes
First seen:2023-07-18 06:37:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UcdIYZ9hQfrtgqfyz1gMneWW32THeqI2xg5p6E+qTrQaSejL8Zb:UctYrCqfy0WW327eqI2xgLGqTrQaSejI
Threatray 3'346 similar samples on MalwareBazaar
TLSH T162D4CE39603C8BAFE757CBB6E430115213F017A61AF2D28C8CBA759F3D75724A540AB6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c198989999e9b179 (16 x SnakeKeylogger, 13 x AgentTesla, 8 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Nossa ordem.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 06:41:26 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/9d186494-1dbe-479f-852b-c1e62706cb40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423260/
Detection(s):
SecuriteInfo.com.Variant.Lazy.362621.11832.17020.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b63351feab465ae3505a6d/reports/aa942956-7598-40df-874b-36c0089d1ffd/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4a95fc08-4e95-480a-80c4-ad07470bf060
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274900
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1274900 Sample: Nossa_ordem.pdf.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 31 www.1wsdok.top 2->31 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 Nossa_ordem.pdf.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...29ossa_ordem.pdf.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 15 Nossa_ordem.pdf.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 4 1 15->18 injected process9 dnsIp10 33 soul2be.academy 81.169.145.76, 49696, 80 STRATOSTRATOAGDE Germany 18->33 35 www.soul2be.academy 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 00:56:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdakj4myxgn6ik7ek3kjzvqxgg7mlbjcvap4c4hpit4sffvdtyca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0678008b99744da75d64b17e189a5f8934780a0ddf2384d8c24e4240f796dc34
Formbook
190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
Formbook
4061f4ecc5f9ea83a7f8f3c084b3999dae002d26c1dc62d7ddecd2c5f21a26c2
Formbook
68f739e8cec56189a152729584f046954f13e32426331970eb755538a8008f1c
Formbook
7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
Formbook
a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
Formbook
b0d24f4ca574f8e54fc1e23097d9f6b45ec8c37e7732e43a96daea3179b44aa8
Formbook
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
Formbook
ead9b9c37d63a3b18959e6f4926d76364408f76ed882fad8e8b34ec496702bda
Formbook
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895
Formbook
+ 3'336 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:p1a4 rat spyware stealer trojan
Link:
https://tria.ge/reports/230718-hd4masgf95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
9e4c7f982fa3cc556a57a252789cb6a6c5d6a4a610ac0940b82632c5f7618338
MD5 hash:
f7a973cfb43d34779e99be8543f68a92
SHA1 hash:
1e770eb4c5b92bbc8e4911f7108ec601036e568c
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/49d2fa6f-ccb5-449b-9b3b-e2a83ef911eb/
Parent samples :
88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04
95c058c714f6b443f68eedc24f78b9b5b834b4e4d77dbc20666684bc6d2e321d
SH256 hash:
4be50f02a62f8412b24a1592b27eeb88088def20e46834e41c272fd4d36aac3e
MD5 hash:
043984b1e64aa388748fdd568eac8867
SHA1 hash:
f8836d740f1c1fbd079126ccb641dabcc42542f4
Link:
https://www.unpac.me/results/49d2fa6f-ccb5-449b-9b3b-e2a83ef911eb/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/49d2fa6f-ccb5-449b-9b3b-e2a83ef911eb/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/49d2fa6f-ccb5-449b-9b3b-e2a83ef911eb/
SH256 hash:
88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04
MD5 hash:
009a24792496f65b834a3b8d2ed97c97
SHA1 hash:
34924a324da597c6df88b1719af7907fd2f6df73
Link:
https://www.unpac.me/results/49d2fa6f-ccb5-449b-9b3b-e2a83ef911eb/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88c0a4f198b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 88c0a4f198b99be42be456d49cd61731bec58522a81fc170ef44f92296a39e04

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/423260/

Comments