MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a
SHA3-384 hash: bfc75d0f9617ac1883c2443876cb56f166c5ddbb061fb15021671b9217a735f3dbe8163875b5900c583a2d89c05ee5e3
SHA1 hash: b10cf48c2bae6567362ca1ca18e4cdb86c856f27
MD5 hash: 64db587135351a24a1854980c3a0de20
humanhash: floor-india-alpha-mountain
File name:payment copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:798'720 bytes
First seen:2023-05-08 08:19:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8D11KTIOnGgXWMbT1xl42vnsXu4ZdPY+sQN45fmd:8PKTIBgXx1T42UpP+QK5fmd
Threatray 2'735 similar samples on MalwareBazaar
TLSH T1DC05E13527B9BB91ECB683F82608A001AFB47D5163B6D5E84CCAE0CD5159F09FB10B97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment copy.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-08 08:19:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27a86ed8-c659-4fe6-a432-b2dc59bf139d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387430/
Detection(s):
SecuriteInfo.com.Variant.Lazy.339156.23422.18532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6458b07c597d926385a44ad0/reports/596b9750-5bb6-46a4-a2cb-18cb0ded67a8/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5d467e6-b836-4513-bb87-720f73cd9e34
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1228169
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 06:47:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wb57ooonhkadxtynk76l7dk2mkaakrl5wop5arjsjyel3exgkn5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
Formbook
2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
Formbook
2c41ec55217c805b8a73085daa06089d01cd601d1bc16a0099be113222e0446b
Formbook
33b5ccf1b3b48e22ab607320e0bb143ad0ac2a9770b0e385c0365366de472ceb
Formbook
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
Formbook
833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa
Formbook
aa3a5e3035f1281d3a412956e0a0273d33e0f07500abc909eb5d9dad6524b588
Formbook
b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f
Formbook
d8d96fb0f87869e18b2f527be9a50e08768896ae6df8df2311a71bac4281a1e2
Formbook
dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
Formbook
+ 2'725 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230508-j7vf6abd8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
656aada2ab9390504d7cf46b92d0393d234c3e85812f7f9973f50f17d752b189
MD5 hash:
20b79fb655ddb0e5e04635dced149c57
SHA1 hash:
9629333ca38b574db631577a0c541ae70c3f1f28
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
Parent samples :
dc353de8e426e5a5934ca6cc0a3c164a6ac10599fc6341db12a9f7e7d3eb5f02
959d4d4b20048f42806546895bd45308d03049b3ba626fd4ec71ce77a0eb27ac
b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a
cce0243baf6140b9d0bc6360f85b7d2eb7d769d7d6dd25a5991ab9cc12465b58
SH256 hash:
52fd88bb4e09230c87eb8c536ce9efb118a3ffe14bba30d16f879b96fe41c819
MD5 hash:
9b76023056ff0066e8eb2b99c325ae59
SHA1 hash:
1f8ac416222ad6f4842559346d18e594a0e445da
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
SH256 hash:
ef7122a98eca35c197740b6d6e1905c446a9d65fd1580f8fb3274d85151e5245
MD5 hash:
f4ff5b1b1dc7d2cc8c440f83bce82f8b
SHA1 hash:
e15b4dd8354139fbfefc4c63bfde8311da9f226f
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
SH256 hash:
5cc3cc51d1577147839bba235587d04a3702763c685cfe4fa1eaf197a259a828
MD5 hash:
c3362a34fc0dc0b2c20715d07d8dfff5
SHA1 hash:
bfff2df87ca675537a356a57dbf9c5b78b27d779
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
SH256 hash:
caef32939eee926017c67988c8051fa9c3ad8ad60a13ed4bc9d37a163f93cfb7
MD5 hash:
3870765c6aac004959f3304fea465a1f
SHA1 hash:
7a5e09b8ff6cd296c59920d525a5742a301d627c
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
SH256 hash:
b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a
MD5 hash:
64db587135351a24a1854980c3a0de20
SHA1 hash:
b10cf48c2bae6567362ca1ca18e4cdb86c856f27
Link:
https://www.unpac.me/results/fc9725da-bf1d-45b7-bf3e-f209fbe7ecd8/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b07bf739cd3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b07bf739cd3a803bcf0d57fcbf8d5a628005457db39fd045324e08bd92e6537a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387430/

Comments