MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785
SHA3-384 hash: af3c215ae8b8c5dae2bdd543700c151a2ba7c03bff92107335f8ed504b589f4072b67d7f6d8b58b03dc2ec79a95464cb
SHA1 hash: 4f472eeb47144652b2bc0a2b00c49b3ee001145f
MD5 hash: 4efe1df7cd9d64ba29c001a1f810fc1d
humanhash: iowa-september-paris-september
File name:Purcahse Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:683'520 bytes
First seen:2021-07-30 06:02:12 UTC
Last seen:2021-07-30 09:28:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:0x3pPra/h7iS/d348pkLvAzSnt8BQUR1qFVqxxBKsgCR0hN5TPWf+Wa:03ra/AS/d3P+vfn2BQY1qFSXKGRU/jWf
Threatray 7'050 similar samples on MalwareBazaar
TLSH T10BE4AE65848CDFAADC5C03B4DB4C02F02EF19CA6E0B0E5633E857DB5B5B0A11D9B8786
dhash icon 4549494d4d2b714d (7 x Formbook, 6 x AgentTesla, 3 x NanoCore)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
562
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purcahse Order.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 06:06:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7bf24d6a-b298-4df5-8289-42a8ea59bdb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175186/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd475b8c-c6fc-4bd6-bdbc-cb2f1594b29f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824366
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 10:33:23 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzkbfifz3y3hpz3cbmp2lqiveep2tzsckwck3qsjqx4j5crdi6cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
83fed765d229173fedc6811b521cebdfcec3342713679a57d49188ba554c00fb
Formbook
ac569d0ffa88503800f67906ffba34f7824578a486bc5b5a6538ab25126c4875
Formbook
b03f6bc5eec0f24076b3ef2c761b21d75c489ad34c5f94dcffab6d2b4d65263f
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
f230480c3c0154a2f537f30f2f361bfa55d829264672998cd9131b8706161a9d
Formbook
f6b1a22c0cfc0c363bb163b7bd3236ee1dac2995a3511a6a941b7a7af656ba25
Formbook
f8ca257b6bbb8a0b617611a8ddb0068f056f3dc38eb525495978632b03964380
Formbook
+ 7'040 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210730-37pjl5r472/
Behaviour
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.shopjempress.com/amb6/
Unpacked files
SH256 hash:
71f132c314667ef1930a682f9a1211bd0cda9945f1abf9b596131c16d4e53f64
MD5 hash:
f21a7361b83c0e53c319d664dcc2d117
SHA1 hash:
7ace32622b3f693f294df7391fdd6af7a77bdda4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3e94d31-6791-4812-9bd5-b84fa8222d57/
Parent samples :
ac569d0ffa88503800f67906ffba34f7824578a486bc5b5a6538ab25126c4875
a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785
657bd12172568c696ae02af0948808a0f9ab30d77ed199abd0f3bdf08f5d0513
065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
4cc3c108df5e861d0fb0dcc7f4bcf8c7d717636204f5e0d242a316ce9475bf4a
SH256 hash:
4c309fdfb1a14be5b308fa509f805bd79c4c960d543745f33c4462b781a619fe
MD5 hash:
05fe69e9efa850991a31ead1108e35bd
SHA1 hash:
d7c4c5b3f42e04fbf4928042f3bde85b37c83d4d
Link:
https://www.unpac.me/results/c3e94d31-6791-4812-9bd5-b84fa8222d57/
SH256 hash:
5d8a8f58875f76062abdc50d793c5ac1c155938ae781fd323fe27f7662eb5dbe
MD5 hash:
8fc091a0f6741f4fa93f908a2201685b
SHA1 hash:
48703e3a77233314de39cb8083fd4cfadddac2b1
Link:
https://www.unpac.me/results/c3e94d31-6791-4812-9bd5-b84fa8222d57/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/c3e94d31-6791-4812-9bd5-b84fa8222d57/
SH256 hash:
a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785
MD5 hash:
4efe1df7cd9d64ba29c001a1f810fc1d
SHA1 hash:
4f472eeb47144652b2bc0a2b00c49b3ee001145f
Link:
https://www.unpac.me/results/c3e94d31-6791-4812-9bd5-b84fa8222d57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a65412a0b9de3677e7620b1fa5c115211fa9e6425584adc24985f89e8a234785

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175186/

Comments