MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
SHA3-384 hash: 95baeb332d6fd46d85e4b3dd12407260f0aed64030dc2755c349cfe5bfacc092e976984d26de6c76ec41b17bc6bd583c
SHA1 hash: 8d92bbb1f1d103edd65ae7f0c607bb255b2d025e
MD5 hash: f98bec40f03d25ad5b32a76d9c2ec644
humanhash: pizza-ink-eight-december
File name:PURCHASE ORDER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:799'232 bytes
First seen:2022-10-02 10:06:09 UTC
Last seen:2022-10-04 08:04:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oAr2iNEmbRuWQbYMoqIydCZUjisTh6GD5BWjULBmb:N1ziDIA0Uhr5kju
TLSH T18C05E1271BEA4B0BD125B6B894D1C3F6A3A9CC11E173C2DB6BCA5C1FF08A165D760361
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315715/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9754254a-5911-4d4b-95fa-bd13813873b0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081860
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 714417 Sample: PURCHASE ORDER.exe Startdate: 02/10/2022 Architecture: WINDOWS Score: 100 43 www.madhavropa.com 2->43 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 11 other signatures 2->59 9 PURCHASE ORDER.exe 7 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\LCxTzOU.exe, PE32 9->35 dropped 37 C:\Users\user\...\LCxTzOU.exe:Zone.Identifier, ASCII 9->37 dropped 39 C:\Users\user\AppData\Local\...\tmpD2C2.tmp, XML 9->39 dropped 41 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 9->41 dropped 63 Adds a directory exclusion to Windows Defender 9->63 13 PURCHASE ORDER.exe 9->13         started        16 powershell.exe 20 9->16         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 13->65 67 Maps a DLL or memory area into another process 13->67 69 Sample uses process hollowing technique 13->69 71 Queues an APC in another process (thread injection) 13->71 22 explorer.exe 13->22 injected 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        process9 dnsIp10 45 www.tpc-tt.site 22->45 61 System process connects to network (likely due to code injection or exploit) 22->61 32 mstsc.exe 22->32         started        signatures11 process12 signatures13 47 Deletes itself after installation 32->47 49 Modifies the context of a thread in another process (thread injection) 32->49 51 Maps a DLL or memory area into another process 32->51
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 06:59:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 25 (76.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shdj5gcokpgdbv36eh6ldjcait77mi3i5ytub4clhmtl7obpfftq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:uymo rat spyware stealer trojan
Link:
https://tria.ge/reports/221002-l5mpmsaec9/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0412558-2167-47c3-83cb-3e56ab8c9752
Unpacked files
SH256 hash:
4a0f25ba5bfa58f0da9d5d8b3a5fcb8410768dba642d1ed49055992ba6b424b7
MD5 hash:
61124d94be8974bcce5368650b3e6628
SHA1 hash:
96108297e87b81bb05e725ef111822d47d866978
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
Parent samples :
9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
fbc14992308d88c7a33989479793655a4ff4c9caeb3c011f6e95b11c55f675ef
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
e3ac8c8b67752d68d7c6b20ceee1fd8d60d8506b0da5cd589c6e5976ecf8b0c1
310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190
c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
SH256 hash:
cc8d00bd20e65f242e9dd5f769d3f4db614b79dfd8866d9782a0c6cef1e304b4
MD5 hash:
0ceb5c1d97b423df5f236c7ff088942b
SHA1 hash:
d5ff267189a16c064d3bd20c45faa086d9379cc6
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
SH256 hash:
52e281e10465e25ad38d879ba319f8d64edae937884b2f50826c761d828b9cda
MD5 hash:
03c814129471de3ae9d3f26514533340
SHA1 hash:
04533420180883f5061793e079d386346374d1bc
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
SH256 hash:
eebacda22f4cc56f706a9050d27cd4196109fd25ae9bccaa7e6b805d60197b0e
MD5 hash:
8468d753db840f42089540ba78d16449
SHA1 hash:
60cdee245daccd9f1cd84e01a925034ab6069e6e
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
SH256 hash:
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
MD5 hash:
f98bec40f03d25ad5b32a76d9c2ec644
SHA1 hash:
8d92bbb1f1d103edd65ae7f0c607bb255b2d025e
Link:
https://www.unpac.me/results/67f57986-6fe9-4f7d-a02c-ba7e892b7604/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91c69e984e53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7fec37f1c7daa859a329abdc696324f03dc35360c6e7e916e687d41d591f42a9

Formbook

Executable exe 91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7fec37f1c7daa859a329abdc696324f03dc35360c6e7e916e687d41d591f42a9
Cape
Cape
https://www.capesandbox.com/analysis/315715/
  
Dropped by
MD5 c2c6ef5c75ecb6555b5ec113b04647e1

Comments