MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289
SHA3-384 hash: 1aeff3399b5daeccf0cdfb2a93d32fdde58dbf6ac4c65fb578242bdb1793f3f96dc085ba1fab22630874cd39eff96549
SHA1 hash: 079093543ad905434cc8cf6726b95ce5682ad1e7
MD5 hash: 830c172be768d43b77dfd43ac984dd29
humanhash: oscar-lima-september-alpha
File name:Purchase Order (#11022020]pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:331'951 bytes
First seen:2022-04-13 14:09:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:zjgthh86O8PK+7cq1OCwnrCFIXr/XFIoFA/M+KT/cRsFCtJCNKD:ot/86tK+QqsC0iCrdIo+ST/cRsmCAD
Threatray 4'961 similar samples on MalwareBazaar
TLSH T1236422576282D4BBD4971FB20EF53671F6B1EB010802A68F97165FBF3F30286D81991A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase Order (#11022020]pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 14:20:47 UTC
Tags:
formbook
Link:
https://app.any.run/tasks/7e85bfdc-8cc6-451f-9a42-d9f0f743c692

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263467/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.16854.12581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13783/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6256d9c0482f2f41caa74298/reports/8690822c-056b-45d1-80b0-98bc25211b51/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f2ed8b5-5352-4773-ba28-2155a021bf8f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976260
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608747 Sample: Purchase Order (#11022020]pdf.exe Startdate: 13/04/2022 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for domain / URL 2->22 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 7 other signatures 2->28 8 Purchase Order (#11022020]pdf.exe 18 2->8         started        process3 file4 20 C:\Users\user\AppData\Local\...\aevidem.exe, PE32 8->20 dropped 11 aevidem.exe 1 8->11         started        process5 signatures6 30 Multi AV Scanner detection for dropped file 11->30 14 aevidem.exe 11->14         started        16 conhost.exe 11->16         started        process7 process8 18 WerFault.exe 23 9 14->18         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 13:27:56 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vyvwa7e3norghwmopp36b3mhfb6dgmchklhuslp763zfh47egkeq._file
Verdict:
malicious
Similar samples:
12d2bc93a0ad2bc0ef4371472929c84f3440a1c0d762127258b07e50f26124d9
Formbook
17537822450bb11f587944ee0509e308fe9935888ad7254960ccf7269a3bf476
Formbook
38c909bf15fc21291bb3bda3e4c56b117bc9810a85508eb46308b5ebcccd2719
Formbook
5ffc56c61220a361b33eae01a1b7859d93d696962d0de536ddb5e979179c2dc4
Formbook
62cb6977571673131e19fb967260bbe11d225a79197cba0f78ced3cf9b0b2fea
Formbook
a1a538fe935e970518aa2e5c454afa8e6b5cfb0f6defc5659b3b9e9998e7fdd9
Formbook
ac3e120197091d544f8e462bc2338c88545d511e6d29a680b17b9cbf3469ecff
Formbook
+ 4'951 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o27j rat spyware stealer trojan
Link:
https://tria.ge/reports/220413-rgn6fscdf6/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
eb113721ae337f5920cffa1b21456290acaa56830f25188b8f6dd25057492b80
MD5 hash:
3a2c41b37bd5993d6b3f01fc4a8bf707
SHA1 hash:
09d0a1e57e0241fcf2b4b9ed7d6ee9cea809395b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e45e3ece-941c-4a63-9ab3-0521d1552b84/
Parent samples :
4d5d803e91d5a07b32a19a06a8f722d3d4aead462bb2cab23470f2c2ad79b71a
ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289
2ee32fd5fafe174b2fdfa8dfd614686e9d8bf0552ff8ee78a3a1460566619769
192f3b70cda2b630bff5dab6eb11bf130882352634956762e39524f541210292
SH256 hash:
4c13689c87c541a592c5764c9aabed140cc10e693d86d3eb7650a07d7ec3168d
MD5 hash:
a5346f24a1456c0ca3563d673032c378
SHA1 hash:
72923eb917343b6c9e91db341ddf60a621d3e20b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e45e3ece-941c-4a63-9ab3-0521d1552b84/
SH256 hash:
84793a0abafb1359181904ef25ecc2aa98520bd224113dae140d9e631bd6b77e
MD5 hash:
bebb9285d257bb118b71975476b5576f
SHA1 hash:
383b6632dab87021fb8f4746c2a4aedd0ecf3e17
Link:
https://www.unpac.me/results/e45e3ece-941c-4a63-9ab3-0521d1552b84/
SH256 hash:
ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289
MD5 hash:
830c172be768d43b77dfd43ac984dd29
SHA1 hash:
079093543ad905434cc8cf6726b95ce5682ad1e7
Link:
https://www.unpac.me/results/e45e3ece-941c-4a63-9ab3-0521d1552b84/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ae2b607c9b6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ae2b607c9b6ba263d98e7bf7e0ed87287c33304752cf492dfff6f253f3e43289

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263467/

Comments