MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6
SHA3-384 hash:	d3b3e2a7a22570d70dead0bc37204cf1bf69e4dc87ca183e8a50315d58ff4a707095ddeccb8b0a47a2a8309014cb4235
SHA1 hash:	5cf8aacc779e2e045a5523290d07f00de80fe888
MD5 hash:	c0775a59a24e386698858f4ce406f0dd
humanhash:	earth-lemon-fillet-snake
File name:	DHL Invoice Details_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	968'192 bytes
First seen:	2022-10-19 13:16:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:2BJTYfEunhFY2OSMmm0f9/7U8GepVabdefcgHfoyOcyxVEndrh:cmDMX+7n1VabUcgHwyvyxVwv
TLSH	T1F32527B625D10207E42972B59493E2F322FBAE506041D1CB60D33F6FBDA15BB961339B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DHL Invoice Details_pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-10-19 13:20:38 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/35d32f69-0456-45b3-866c-cfcd40bda6c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321728/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.45384.571.22137.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching the process to change network settings

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/634ff8d0898b0652a4b8fbae/reports/935ab483-9323-43a5-923b-15180ab5aaf9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2dde181b-79f6-4a30-9265-de50acee674d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1093491

Signature

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2022-10-19 02:39:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tn76focno3gx73gu5emdjxwastpnmnzxjuhmvrm5negt3gyqekta._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221019-qjc1jahdb7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1aa6e1d4-4a90-4851-b384-89c81ba52904

Unpacked files

SH256 hash:

cd16667ad6ebfd7c838d180c3da34f85112925c7e5760080ad55f35de7b573fd

MD5 hash:

bbc32de0d450f2ee3e8410ba0acc6353

SHA1 hash:

6b59fa96cb9eb1324e1beaaa850714f0be917d16

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

Parent samples :

1e9b2dab23e487f9f8442ab474b4ec7b56d5bbeca861d37c936a6bbbe2e84bdb
369d9c19a6f8e9b3fc88bb922fd7253a50b5fc90b1691972bf89748e19a0ff81
9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6
4f46866f53d2ade9fff6ae887be38de3d611e39328443c88655b379941b81307
1b53c5714322ee87fc3d6d7e513818d009b98fbd68dab63767567b6b22864d4d
90260aceb18d9538c91ec8739dfe72b7dbbda8a060bdb9308ad1bdb5c2a56884
7a7fe99e9c14cffa44335e28d42bb6bd54c5c98ad0c3d4d1a540fc94c8adcf8b
8eeb6093be656c82fede5792e0348fa4c9b763f0908395bfdef9e60da504e6d3
532c9ac579ae5cc491b443c13a7e61c8ffd232828f3acdbd3c1710d518022739

SH256 hash:

5f1477e80e6edf45a00b7d21e318c8120fca217725aba71256e6e5c064c2bca2

MD5 hash:

12c9a42a7e179534957e80c57f65c8ea

SHA1 hash:

bef4403d98be2c6ffbf0beba10ed3f3cf88e0966

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

SH256 hash:

4f06873e15e58ac0a116085ea1b7795a36e98348245ea959edfc459b219ab3f7

MD5 hash:

600a2705c8c4bd56c64273cd85170cee

SHA1 hash:

bafb8250baf6b5a8b63fcc811aae995543defc75

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

SH256 hash:

678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5

MD5 hash:

2da433d67db4775d8f02a8fed4b31bf3

SHA1 hash:

235fe8f2076f3b5cfffacc574825550cee8e61e9

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

SH256 hash:

9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6

MD5 hash:

c0775a59a24e386698858f4ce406f0dd

SHA1 hash:

5cf8aacc779e2e045a5523290d07f00de80fe888

Link:

https://www.unpac.me/results/703ac9fc-6b2d-4a2d-9afa-0d6e2330d6fb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/9b7fe2b84d76cd7fecd4e91834dec094ded637374d0ecac59d690d3d9b1022a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/321728/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample