MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140
SHA3-384 hash: 0a23aa9d83efee4e2aec058d438d5f3f31e88803ae756464fd912dfc3b802914be2119226920b51f704fb7cd7820d03b
SHA1 hash: f04b007ffc63ffe26f6704f1e914f7ab8d0ffe53
MD5 hash: 6119eee9edae7b3337d53e25dd11a883
humanhash: romeo-fanta-hotel-snake
File name:REVISED SALES CONTRACT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:676'864 bytes
First seen:2023-10-10 20:43:44 UTC
Last seen:2023-10-11 06:17:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:mV56OfX9KuvY7pA3Pba4PKSUYSi26AJ5de5o06eD4NF6TY47+kVpTm:oftlvYqDaF+26AbQ5500c4akDT
Threatray 38 similar samples on MalwareBazaar
TLSH T135E412043AA5C007DA9947359FA6C2B403715D2EA124E7B219F0BDDFFDAFB43909918B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 34263632b39bd9d0 (9 x AgentTesla, 5 x Formbook, 3 x Loki)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
288
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
REVISED SALES CONTRACT.exe
Verdict:
Malicious activity
Analysis date:
2023-10-10 20:44:41 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/4170d92e-b8ba-4396-8a65-bd093c3cda9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453007/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2370.18756.15053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6525b797a31588d184f661ae/reports/c79807d9-a681-4246-ae28-7a6528ce297c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46a91ff8-dea3-4eb8-90ac-fa2c3f6c4493
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1323280
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 07:31:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 35 (51.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwargh2ppygkdnfyt4l6mplwnmnuyggrzodt3men4v7nq343wfaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26c004fb03af90aee24cbe0edaeb758c87e8835ce235ecb49b1e0c1eecf17538
Formbook
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
5706d8958701b77e315dcd2d850bb5028518dbea8a851d84680f15b0669430f5
Formbook
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
Formbook
a915e631517c5b9eadd5062e2c12d33521950a2650d56e69f60ed0d783f35345
Formbook
c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
Formbook
d54779db2e1229fd52e0f90f52422accfa374f74645a9ca20503e2c8a6669630
Formbook
ea2adbcb61a20497bc442d31600336a93659f5b38ee367fa83c0a996b0912e83
Formbook
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231010-zh5tlabh84/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
a38df32e7f650e84cd93d36507bfb9680b8731af805f571e511037721043e04c
MD5 hash:
e2ead1261e91b4187988699cbd932f56
SHA1 hash:
d7928a4d0865b3d1f492de1e73206829c5f57f6a
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
SH256 hash:
5257bff9b26e3011240aca54b18a6ea9d6debac964d0e992f04dc963e985c77b
MD5 hash:
6f72042376cd870b7f17017c053144c7
SHA1 hash:
9b52891ed725e5570db354f5d7ee786b4ad74aee
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
SH256 hash:
a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29
MD5 hash:
a5a52675690de850e3de6c05a9bd885f
SHA1 hash:
fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
SH256 hash:
925b797111089c3bfd5eba44956d13b71f9d070939d55fa2ab3f7b8f1cc9f481
MD5 hash:
04cdf31ec6657d9f9460f2a65ff8cd7f
SHA1 hash:
84b7a57459c280a84622b7927f6d9b3f26a627b5
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
SH256 hash:
6780eaf7ef5c3e048d852ede0bcfd67bea36c43aece56bbf44fface89a70aee4
MD5 hash:
b4aaeb33d65cb43ec74b11289f1f2ddb
SHA1 hash:
4d9fa28043f25c9527c36e2b6878c8ffef852eb5
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
SH256 hash:
ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140
MD5 hash:
6119eee9edae7b3337d53e25dd11a883
SHA1 hash:
f04b007ffc63ffe26f6704f1e914f7ab8d0ffe53
Link:
https://www.unpac.me/results/7b2eaaa1-81a7-4a5d-bcae-9cf18af024fb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad81131f4f7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/453007/

Comments