MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549
SHA3-384 hash: fbf93f050e0ff2618202c57f331979aef8160b255e6a28753e2f83f0dc33c9cbb94fec9f7fb85addf9686962287d5e1d
SHA1 hash: 8c2b0ae13524aa051d561de911168c0ac585b8d5
MD5 hash: b287e91faea6a7d8602297d95e1a8e39
humanhash: magnesium-uranus-august-snake
File name:RFQ-Bid supporting Documents.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:762'368 bytes
First seen:2022-03-01 05:21:11 UTC
Last seen:2022-03-01 08:34:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7EX0R/I60njztfvAZJsj7JcIVy3VdMgphi+oJRE8eaEJ+m5rulveu+KsLEEh3kbT:4jzFksjaIVGVG+ouJDulGRLaYaQ2zxLT
Threatray 13'422 similar samples on MalwareBazaar
TLSH T105F4BF0438E65038F93A9BF1CAC1EBF1DB6EF261E48974F654000E558A45BBC8949EFD
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245512/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.25340.6326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/621dad7db94fb38cb42b51d7/reports/f9d8b598-4bbb-48cf-96fe-49af31d9faed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb34f5e9-cc45-427c-9134-c229afaddc14
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947835
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 02:59:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyemgnnhdqwu4ogom6xvfg7w5g64qrkvzxhae2pk47kvhh5dgveq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00d8e033e68ffe5f290339a1e00193b0376814bc8a27c8978b9b5e0de6b2823f
Formbook
0adfc99fefcb09f082e85f53025764a8ea4b0f35a4140540022be9de71bb58e9
Formbook
28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
Formbook
3554e8a6c968467f681a97f7d0af60e7be69d515ee9b093b8be749811ec99c0b
Formbook
60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
Formbook
96077c533e59e3b8cf38826e5e37e35f1f2eb44d356eae6575223158b565198e
Formbook
9e41bc1734c4bc894acdc9c08568cb2f1cd01078fa9b5f30d6f18c6383c22863
Formbook
c0b711533265ba0808d1f7a5fc9b0dd17e19187c9566d9908763d27aaddf023c
Formbook
+ 13'412 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pot0 loader rat
Link:
https://tria.ge/reports/220301-f2k4ragcc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
196e6578f74d601b29261eecf19609fcf2b4534e1cef954006d5f898952599ed
MD5 hash:
0f9baee7daae03f659c624452df5e86e
SHA1 hash:
d12750e48185ac954851595cdac120f688b194e6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f1472fdd-92fb-40e5-b935-0cd83f1a944a/
Parent samples :
a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549
44636c052353f293bd3302cb0844e7e3add7a2e929a63e6ccdafb6992eaa3e99
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/f1472fdd-92fb-40e5-b935-0cd83f1a944a/
SH256 hash:
c56e0470435b3f6ec1454cd9fe15dc457e9467f6ad4d284335547b1e660df300
MD5 hash:
8e0eb7c2f21aff62657969be981c2049
SHA1 hash:
32746594d1926a96d5130fec89fa19607ebc516a
Link:
https://www.unpac.me/results/f1472fdd-92fb-40e5-b935-0cd83f1a944a/
SH256 hash:
290b3097fc06bc31f8053abab159455d93c4848419c9adcf064337dad357d7ff
MD5 hash:
6d9800f3a968a237117a17035054aedb
SHA1 hash:
2d9eac23e4353ec147ab9722241a9bcf7493f286
Link:
https://www.unpac.me/results/f1472fdd-92fb-40e5-b935-0cd83f1a944a/
SH256 hash:
a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549
MD5 hash:
b287e91faea6a7d8602297d95e1a8e39
SHA1 hash:
8c2b0ae13524aa051d561de911168c0ac585b8d5
Link:
https://www.unpac.me/results/f1472fdd-92fb-40e5-b935-0cd83f1a944a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a608c335a71c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/245512/

Comments