MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
SHA3-384 hash: 3fbd33e8839d229228a35fb19e1554ec9a2bceb7de0b01c8a83bd5b1b83dea0b46ae0a199ddb03288d4fa1907161231f
SHA1 hash: 0ab2342061f68feca4ffc4c9220005592c11a1cf
MD5 hash: 9695e045b6aa90282cddc3eb0aa5c6ab
humanhash: south-enemy-dakota-fix
File name:FEB PAYROLL 2024.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:715'776 bytes
First seen:2024-03-20 03:11:38 UTC
Last seen:2024-03-20 04:28:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XEUq9AxN1kz0Mb1gjqWpLVRupEEQFC0kuVtCkFRw5haWFrK+QiICGP1UwZmKdlnM:XEUq9AxN1ZIwq6RuaFC0kuVKha9iI3tW
TLSH T11DE422223BFD1213F3B59BF463B198861B75F5232358E3DD5DC420AE6ADAF110268927
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cc948b667969653c (13 x AgentTesla, 5 x Formbook, 2 x RemcosRAT)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd.exe
Verdict:
Malicious activity
Analysis date:
2024-03-20 03:12:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86d96783-1ce0-41c8-93a2-6f61d8cb8603

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fa5403c1137bbf149f0033/reports/bccd1657-1b57-4888-bf4e-33fdce2bb7bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/128696b6-c953-4b2b-bc19-9b330217727b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1412129
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-03-20 02:13:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wc4q77a36lrt6blzqg4neri56atpyulz36dxj4onmr77bjn7rh6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240320-dp65caga8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
02d67a9446465acd813f64957cbfdb5fc86315d417432d1fd709558808ce021e
MD5 hash:
b82c781120199d1ccccd2fa79a9ada86
SHA1 hash:
c3457144dae9ab3c4273e53ea144acc131bed35f
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
SH256 hash:
318cbe6c5e8564e124fb94887d6cc6da5b6589e4374980aeaaca1e90279c3c5a
MD5 hash:
5c6bf8dd2e824198fe624a6f22a7be6e
SHA1 hash:
1092637d98fcf9f5bdc078c686ddc81712e69a50
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
SH256 hash:
3b64f9acc271b498ec25105c2fc9751546a97113190e84bacec3cb5771ff5e85
MD5 hash:
d925e52e91c49c93255d5b845086800f
SHA1 hash:
c1bab013b9d94bc3e5a7f7d028d704361a638abe
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
SH256 hash:
8a42144bfaed7278d478bb226c64cfad8abd909f2f4ce18ed17018eebbd590dd
MD5 hash:
10f2dcb1aa3ec0d37027968d347b257a
SHA1 hash:
b2d1181f17169f535a8bfa614c21aab23260155b
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
SH256 hash:
c1fc851f58ac28ad00fcf4c544d72f60ee8446095a78306ff27bb9ec266e3dc8
MD5 hash:
e67360696d50e8e7ec7627414305a8dc
SHA1 hash:
39459f04c1689c70a29743b87d49932cf89ed9cc
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
Parent samples :
b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
05261e8594490477eddd50ccd0499af1dd0f1bdeac466c1ddcf435afe4841641
f1a5b558c8b9bcc0be61cdcbac47e4e6db8bf92da025ac777d8ea7832d1d46f7
SH256 hash:
b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
MD5 hash:
9695e045b6aa90282cddc3eb0aa5c6ab
SHA1 hash:
0ab2342061f68feca4ffc4c9220005592c11a1cf
Link:
https://www.unpac.me/results/98f52ebe-9206-44f6-98dd-d96657f1a1ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0b90ffc1bf2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments