MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa
SHA3-384 hash: 3ec47f5c91b36863688cd2b856423b65c857e5db8a2d74a28708568be3fd5055629a26c29536a8ddeaab7fd08074d677
SHA1 hash: a60e2e89f804bbd465ed996aa7745b3ecc3b4785
MD5 hash: 60e8eecdd94630e2f235c3776a76b631
humanhash: maine-berlin-table-burger
File name:Şubat sevkiyatı için yeni sipariş,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:730'400 bytes
First seen:2022-02-17 14:26:51 UTC
Last seen:2022-02-17 16:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tyPFSIfbZGa/yRzk4PxkOIB0abatcn6O8fPkRLY7ZltvZrEx7Jp8:vVkOVe7v8
Threatray 13'407 similar samples on MalwareBazaar
TLSH T120F4EF2428BBD02DB072DE6C5DD476E6A9DAF372228AB47A13700E724723D41DDB3539
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242262/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.27370.24746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aspnet_compiler.exe control.exe formbook obfuscated overlay packed packed replace.exe
Link:
https://www.filescan.io/uploads/620e5b3d875593a3ccde5194/reports/11474804-1735-403f-a6f2-fde579922234/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27c6f448-5b0a-4175-a6c8-3d0ed2f46769
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941628
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 14:27:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4777nolkpydwgszu4jm6nfiwflpdxwevdbhk6shkqy63rsz42va._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26b71bbd2d7db3c56d4a9058a84233364b49150c3bb7b60edec35d37e34d06f3
Formbook
3d1c26a55a0b7a502b019b18f4b6e87c1273d3c42a50d20c958d510f530c5f40
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
Formbook
950ead10061a0d06ae1314f85d90925ed519d91ff8360236960e9abf68a99b7c
Formbook
9774f8078d941b17f5018bf3759bca9e62cfe4714ed55d5bd33737fcbba25ce3
Formbook
b071cb00b3e3d8715ad31c24702fdd284f7cec5ac937b47f7c64f1e630f2c992
Formbook
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
+ 13'397 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c0a7 loader rat
Link:
https://tria.ge/reports/220217-rsfcpabcc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
cb1394d16894be7b9488b629afb19674f84d216c1117e68975f94452dbaec74c
MD5 hash:
9e3cfde2483b22fc8fd53bf100daa9b8
SHA1 hash:
5234960821495aec0a74dc440568366b8d9c225e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/75496105-aee2-49fc-8b46-3d7c39416428/
Parent samples :
5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
f477ff9ff2a431f168d2defd7c9b62ae9f0648488e9977479e407468d5cdce1e
a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa
f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a
SH256 hash:
39356995d45fc5e4a05a68a932ca3bb02a12b1aec226c7deb79dd343905b0ba0
MD5 hash:
03e210f55d97af0d7e49e9f1c948b203
SHA1 hash:
cafafa777e8e4739d7dbdbd430c8bce649cfe80f
Link:
https://www.unpac.me/results/75496105-aee2-49fc-8b46-3d7c39416428/
SH256 hash:
a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa
MD5 hash:
60e8eecdd94630e2f235c3776a76b631
SHA1 hash:
a60e2e89f804bbd465ed996aa7745b3ecc3b4785
Link:
https://www.unpac.me/results/75496105-aee2-49fc-8b46-3d7c39416428/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a73fffb5cb53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242262/

Comments