MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
SHA3-384 hash: 4482e7574e84667d73e359830a1703b1eedf6ed2643535a2910ef82d9811b4993bfae9bdb520e2b17f5ce7ebe320502b
SHA1 hash: 19aff3a1b435064dade4cc095f9d10a5b6ba9859
MD5 hash: 8ecc522f8617adaf469f173400806dcf
humanhash: music-salami-violet-connecticut
File name:Confirmation transfer Ref No_00101334632192.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:976'896 bytes
First seen:2022-12-03 22:22:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:ukqTTiwAAgEEY4olXoFZ6toHqwjwv0E6:ITQpo9aUvt
TLSH T135256B62D7B1C906F93388EEA2DC5B551CA851C148B84849CD133E905E78CABF5FC9FA
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Confirmation transfer Ref No_00101334632192.exe
Verdict:
Malicious activity
Analysis date:
2022-12-03 22:25:34 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/980e5b63-577b-4d3a-b710-234479f1581f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342373/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638bcc480a5c344f30c1405c/reports/e204403f-e2bb-462b-af57-d9f9a1974481/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5cbe117-cb0b-40eb-a814-274e07d51e79
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127219
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759943 Sample: Confirmation transfer Ref N... Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 49 www.fhsdzt.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 9 Confirmation transfer Ref No_00101334632192.exe 7 2->9         started        13 PuscvCO.exe 5 2->13         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\PuscvCO.exe, PE32 9->41 dropped 43 C:\Users\user\...\PuscvCO.exe:Zone.Identifier, ASCII 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmpF90D.tmp, XML 9->45 dropped 47 Confirmation trans...01334632192.exe.log, ASCII 9->47 dropped 73 Adds a directory exclusion to Windows Defender 9->73 15 Confirmation transfer Ref No_00101334632192.exe 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 79 Injects a PE file into a foreign processes 13->79 22 PuscvCO.exe 13->22         started        24 schtasks.exe 1 13->24         started        signatures6 process7 signatures8 85 Modifies the context of a thread in another process (thread injection) 15->85 87 Maps a DLL or memory area into another process 15->87 89 Sample uses process hollowing technique 15->89 91 Queues an APC in another process (thread injection) 15->91 26 explorer.exe 15->26 injected 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        process9 dnsIp10 51 www.ramlendingservices.com 162.214.129.149, 49710, 49711, 49712 UNIFIEDLAYER-AS-1US United States 26->51 53 recipecity.quest 162.241.123.152, 49706, 80 UNIFIEDLAYER-AS-1US United States 26->53 55 19 other IPs or domains 26->55 81 System process connects to network (likely due to code injection or exploit) 26->81 83 Performs DNS queries to domains with low reputation 26->83 36 rundll32.exe 13 26->36         started        39 msiexec.exe 26->39         started        signatures11 process12 signatures13 65 Tries to steal Mail credentials (via file / registry access) 36->65 67 Tries to harvest and steal browser information (history, passwords, etc) 36->67 69 Deletes itself after installation 36->69 71 2 other signatures 36->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 06:58:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
29 of 40 (72.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wds6ck7kqodonydmqlsoeusxwitetjqiwlxsuwmtgkdzta5aacya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:q4k5 rat spyware stealer trojan
Link:
https://tria.ge/reports/221203-2askeaaf92/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/675a166f-04fa-4157-ae8d-3ed38226331c
Unpacked files
SH256 hash:
dc167c51e5b18a4f3082103c883acd0e2731355790b162fa028c464529c6c8fa
MD5 hash:
59206528ecaad5375d547e8a9c2616f6
SHA1 hash:
69fdb679ed8157c39455350c9012831d5c10f682
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
Parent samples :
efe299573660e349b6169b099708c6794d5b593095b9a81ac5000a9b18936252
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
fa6c3d318b33c9f659b283d02ed355e6c82988ed44d5f7458f043ed6d7997d9b
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
SH256 hash:
894053c4ccde8e981818530f3890240aac621a745ded33c058496562181a2cb1
MD5 hash:
987b5b7b10457a0685a2b3e64fa3398c
SHA1 hash:
3be6f7b24b17be260e215e3b80a57d59c8d7e4c6
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
SH256 hash:
0fe540dee5db66d03a51a83ebe65b82b5da17b96e42ce9a467a2ff77938c8acf
MD5 hash:
6e13a148ca569e507d425cf1d4035a97
SHA1 hash:
aa10a5cdc2aa3728d3057d2ec473c74ba9fcfa7a
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
SH256 hash:
2aa9213e1d863d97091cfa85c59aec1d639004b0618b29d1530754aa96b9cd6e
MD5 hash:
2f309c822512389e315f5d1eff9224c1
SHA1 hash:
637bb154d74d0ad3bea2c768b37374e4c4c1e53f
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
SH256 hash:
b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
MD5 hash:
8ecc522f8617adaf469f173400806dcf
SHA1 hash:
19aff3a1b435064dade4cc095f9d10a5b6ba9859
Link:
https://www.unpac.me/results/98d16c6f-9dff-452e-937e-4a2fa65364ac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0e5e12bea83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/342373/

Comments