MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3
SHA3-384 hash: 38cb178eca8efec0fe9c348e550b89090de0e99c4d105457d88ce0ecb31a9b9ffdfe3d975ba5854837d9e5e201707d2d
SHA1 hash: 8de02f0e58b6bfd5dc0f6171cffe296b78f982f3
MD5 hash: 886b7b19b249feedce1ed7ae3ea155a3
humanhash: wisconsin-johnny-april-bacon
File name:pedido761396939049.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:719'872 bytes
First seen:2023-12-06 12:02:34 UTC
Last seen:2023-12-06 14:10:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kueH5q9NFWunNuK0l8bXNBzEwwUk736pHxn/w+Hh8ZS63488P:oq9NFLN900Euy+Hh8Z0L
Threatray 418 similar samples on MalwareBazaar
TLSH T16CE4021167BC1B27EAB287F929B4282403F5782B3AB5E7DD0D8670DA15A1F050F82F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
328
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462841/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/657062f63636548f373de620/reports/cea9a315-8d07-48ec-b3a4-7d61f54fc80d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db81cad4-a412-4d65-9a0d-18f16c831c78
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354560
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354560 Sample: pedido761396939049.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 26 www.twinlogo.xyz 2->26 28 www.manekineko106.xyz 2->28 30 16 other IPs or domains 2->30 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 pedido761396939049.exe 3 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 28->52 process4 signatures5 56 Injects a PE file into a foreign processes 10->56 13 pedido761396939049.exe 10->13         started        process6 signatures7 58 Maps a DLL or memory area into another process 13->58 16 vZqTgVmcdrWuKlpNkPXNp.exe 13->16 injected process8 process9 18 logman.exe 13 16->18         started        signatures10 38 Tries to steal Mail credentials (via file / registry access) 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 Writes to foreign memory regions 18->42 44 3 other signatures 18->44 21 vZqTgVmcdrWuKlpNkPXNp.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 www.gcxponmlkjihgfez.xyz 162.43.117.107, 49778, 49779, 49780 CYBERTRAILSUS United States 21->32 34 www.twinlogo.xyz 66.29.149.46, 49770, 49771, 49772 ADVANTAGECOMUS United States 21->34 36 10 other IPs or domains 21->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 10:27:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r56lastcnddd3ev4sbvm2ddjc6oxijnt5vfxflaek5ehddlwkljq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0270bf6f65f3621ce171f6f10083e4f4730c3b985968d7a1c8f003bed2662be6
Formbook
11d9bfab2d9c7344ef52970bd53f3dae040d3821f8ff0a03ba1f3d92593f7717
Formbook
1b406a68c4eafc78f127b013623b0d64d07b8a586ccd7fc6ebab8254fea0a469
Formbook
22c8a9f75b36b8253d59d189bea6ca376dcb2a1ae911dae579539dff1760bc43
Formbook
40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575
Formbook
6d8afb68b928295f05583e78494d1153de14ca750751ed7c434ac6864c7e344e
Formbook
b2933d4ea491c2643557a6c3cfa8ef69e67b930dafdc1ba1f128da513752f449
Formbook
ebaa05165e9a04e110a016a74016effe016f9e19c83fc73f25ed6b3c49db40d8
Formbook
+ 408 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231206-n71qdsee62/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e8b224e8084b26bc1900b890cbe4ce8484c21a6f7669f964049e67b25f4825cd
MD5 hash:
296a7928a0a17e9926edc09fde191ed3
SHA1 hash:
278be4202d6de8f75268c35ecee57827258b59d7
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
SH256 hash:
c516fa6d911a9a818469a610bcfd2e3a080450773353e6fd31ae8868940913b8
MD5 hash:
52f5d2a584aff291656efaf7c0d82fde
SHA1 hash:
33a2667c1de4b9678ca767e326d38bc5a1cd24af
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
SH256 hash:
797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329
MD5 hash:
3c927935fbd608e7628cc2c5ad7d52fd
SHA1 hash:
ee0c880c0614ac960fd641f7d479233584aed1d8
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
SH256 hash:
cbdf8885b350dfc3070eb12ba5d1e85c0b52fb12cf2f3089d7327a1b345ffdd5
MD5 hash:
856c20b960e5080e9649157523c8dac3
SHA1 hash:
8785e268061a6da51dc7df86e58a2dd1e6913bd3
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
SH256 hash:
04dc3eaa8d7a57193b6547d347795128a1f044c58a4e2510ca19fd30f679bac9
MD5 hash:
f9f4b9128836ca0e85bebe7ee0a42b18
SHA1 hash:
7c5da3923944851d424d69ce9128dcedffc19b25
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
SH256 hash:
8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3
MD5 hash:
886b7b19b249feedce1ed7ae3ea155a3
SHA1 hash:
8de02f0e58b6bfd5dc0f6171cffe296b78f982f3
Link:
https://www.unpac.me/results/af9ec325-4ece-4b4f-9301-473f395c9bb3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f7cb04a6268/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8f7cb04a6268c63d92bc906acd0c69179d7425b3ed4b72ac045748718d7652d3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462841/

Comments