MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c
SHA3-384 hash: 64bdf98070d6adccb92de60eac876c16bcc0ab920b377cbede93cc025058655b449cb6d52d871744b41f82f61bf45bd1
SHA1 hash: 2bc9bcd8e9f868796270359a11d4786e5e2832ee
MD5 hash: 3d54cd16d34f2285ec1d903a12665c19
humanhash: moon-speaker-edward-floor
File name:PO21112022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:470'528 bytes
First seen:2022-11-21 11:46:08 UTC
Last seen:2022-11-22 03:18:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:aW1bJox0vNUv/Iz6SpNzCrYceeTZxvF5X:aW1bCx0vNU/2N8Ycxh
Threatray 628 similar samples on MalwareBazaar
TLSH T109A402516938D9D9C69FD73BC4B831DB2EC522CFD2E024C4950DC7AAB852643ADEE234
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO21112022.exe
Verdict:
No threats detected
Analysis date:
2022-11-21 11:49:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f14bc3f7-0db0-497b-8202-db58a7a16045

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336738/
Detection(s):
SecuriteInfo.com.BackDoor.RatNET.2.22087.28951.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Searching for synchronization primitives
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637b6536e64742f53c1070a0/reports/679ec54d-710a-4a5c-8669-44ab7d174d7d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a14535fd-e94e-463d-8b0a-cc26a8dd964a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118067
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 750778 Sample: PO21112022.exe Startdate: 21/11/2022 Architecture: WINDOWS Score: 100 31 www.touzitest01.com 2->31 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 PO21112022.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\PO21112022.exe.log, CSV 11->29 dropped 55 Writes to foreign memory regions 11->55 57 Injects a PE file into a foreign processes 11->57 15 CasPol.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 2 other signatures 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.boursemastery.com 217.160.0.56, 49711, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->33 35 www.touzitest01.com 43.155.15.63, 49714, 80 LILLY-ASUS Japan 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 22 msiexec.exe 12 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 06:47:13 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
21 of 40 (52.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7xshrk3pear5cmofn3tjytufciimxv73qyj3pd323rpa43dtj6a._file
Verdict:
malicious
Similar samples:
002e81aaa44917c3f31513578174f22fa9eab43e0a64714901a8e1efe8887cec
Formbook
1c2eda4db0f0cfb353ff0646672d055e2864daaec0bae7e66c90a405dcf3ea39
Formbook
44a7a39d50a8efc1ba347997393f379f1b177086f1f325b8e28b11359c3ebf8a
Formbook
544ccf26cf0038cc8d76b952e349f3e49db27e4d2cdc89ea72fa2fb8e8996038
Formbook
7265ba924abcc035e8263873f5ed19842a0ad724b408fb816e7c1b64768b0cf0
Formbook
a43a510468f0f694f75cee68d55c019f5de3f72b3627e3e3b8718d8afb2281bb
Formbook
b2280bc6cc58ae7bcbabc2ed5c5878d70ed463b46cab27da2103ac19ea5e52fb
Formbook
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
Formbook
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
Formbook
+ 618 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:th47 rat spyware stealer trojan
Link:
https://tria.ge/reports/221121-nxvrdscf5z/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7b32fce-6763-4065-94c1-d258db0e645f
Unpacked files
SH256 hash:
a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c
MD5 hash:
3d54cd16d34f2285ec1d903a12665c19
SHA1 hash:
2bc9bcd8e9f868796270359a11d4786e5e2832ee
Link:
https://www.unpac.me/results/f974e346-0a28-4852-8f0f-0279e5ae3924/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7ef23c55b79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 06872319375b38bc03de1b0fcd7bfa565aa3045a72d74b229c22c8fc8233166e

Formbook

Executable exe a7ef23c55b79011e898e2b7734e2742890865ebfdc309dbc7bd6e2f073639a7c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 06872319375b38bc03de1b0fcd7bfa565aa3045a72d74b229c22c8fc8233166e
Cape
Cape
https://www.capesandbox.com/analysis/336738/
  
Dropped by
MD5 9bfd0690ed981fc362353e9ef5bbf8a4

Comments