MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
SHA3-384 hash: 221db1b769ce9cf02ce448ac6182b24af51b7a2f18ebf3299a148e24b0441a041fc7fc1de7d31f39eb5fd3da18a5e7de
SHA1 hash: 06f84fa004726837994114130882d99f3287e8c8
MD5 hash: d98c6e70cf6b89e13864a586e6c1ff84
humanhash: lion-mockingbird-thirteen-sierra
File name:Dekont - 2023 05 26T09EUR_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:4'028'928 bytes
First seen:2023-05-26 14:48:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:ZqOt7bcffW8qbxjSzSFDG2t4bSPTAQfFMQqJhyfbiVY:
Threatray 887 similar samples on MalwareBazaar
TLSH T17216B0330687FCE9E3E26A7CC44625040DC4A8E3F33DD29CBD4B12FA65F16949A578A5
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Dekont - 2023 05 26T09EUR_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-26 14:55:06 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/ad3cf2fc-4e9b-4931-81ee-2c34577c2c97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392153/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.6869.4962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6470c6e168e69542aaf0eff3/reports/4b9e95e5-0b52-47f0-8522-4e6b3bb3438a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7242979-e818-4618-85ef-ea62f9d35865
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243386
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 09:15:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2grclnxu4duvsojgta7grjv4yizyfrqqatgzpyccigim6nnc2oq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08844badf5c2bdd4dc6da38cfd0d774768efe5383f2a10ab811ade9e6c1c0eec
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
6ea7ca3a65d2621c8a9c7502eb9a7f914d5a155a3791e551cc3308f638ea307c
Formbook
6f9e6daba8384e0535415277476d0bc21a6943ed2cd1483b18259280fab5e2fc
Formbook
8ce37af1383c79989d2d67cd434c4cd652e2c9fa7d69b271c32f313fc2f884c4
Formbook
9048c7507764dd285566e7bcdd0db1a5ca6554fc08739e9af182d4cc0a18e201
Formbook
9b1942fa7ddd58c89413a062fe49730f6bd340101619985a9ff83439754fdb03
Formbook
afb6ebaef93a9f20bc3e52580cdcd0ca4558dc8307485d1b7c52380a686680fe
Formbook
ca616fbadc2bf1701421a6563fed4ab92fcf6efb039e1127e22e384571a03233
Formbook
+ 877 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hs95 rat spyware stealer trojan
Link:
https://tria.ge/reports/230526-r61ksafh83/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
83bcf419c847f65e877c951b09582457d8b41bcea9ae7f45972703b082ee8cb0
MD5 hash:
54841a158a44ed5508b9c6431dc3c127
SHA1 hash:
4e3b2494d6d9bfc323cb02191590150266765c52
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5b5b773b-6b07-4c4a-8cfc-81af4db91976/
Parent samples :
3c0001a9cfd20743c3bf08640859d90142456096612d035fde79ef2923ad45e0
968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315
788b280619372d2e7d1f1c6e00824cccb0cb581a7db5203f813a3d9df052f570
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/5b5b773b-6b07-4c4a-8cfc-81af4db91976/
SH256 hash:
d48a53aa9990c02cc073c419a712624fdd2fe5eb99e3dbccf9ddf66626a7bb44
MD5 hash:
f3f957f6b311193e81bfd6969ef373c7
SHA1 hash:
71ac0efec4de3158f39b60133fa6cd093a6a2047
Link:
https://www.unpac.me/results/5b5b773b-6b07-4c4a-8cfc-81af4db91976/
SH256 hash:
968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
MD5 hash:
d98c6e70cf6b89e13864a586e6c1ff84
SHA1 hash:
06f84fa004726837994114130882d99f3287e8c8
Link:
https://www.unpac.me/results/5b5b773b-6b07-4c4a-8cfc-81af4db91976/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/968d112db7a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/392153/

Comments