MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d
SHA3-384 hash: 9e958774ffd165f1061961ba6cce441a538318cd7c056374913071313ee19defc275a3e4e892e9cd218489429758f2cf
SHA1 hash: 6dcf743d786f17378b979559fe9d46837b889e3a
MD5 hash: 9d21ec3819afbf1897814e5e4e35514c
humanhash: sierra-fourteen-robert-happy
File name:Project Documents_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:756'224 bytes
First seen:2024-01-15 06:03:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EXdfvznRZcd51I1+nPuDNx/Cb8S1cyrYl6tZvwgYGdLnklKL2hDesiAYyRiraG5D:QdfLXcdYckJCbXZvtNDSJ7YyRirz1jUn
Threatray 19 similar samples on MalwareBazaar
TLSH T155F401993694B1DFC927CA769A982C58EA21B0B7931BD343A01311ECDA4E9D3CF151F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon cc8a8acc8caaaacc (3 x AgentTesla, 1 x Formbook)
Reporter malwarology
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470870/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65a4cad31bf798554ab22442/reports/542ae7e9-5d24-4113-bea7-066c48b8845c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7df724c6-31f1-4f08-8bf5-f69c51241f35
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374607
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 06:04:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=webot5wp73sly3jm7xztp3fmowp5cyntr7dgmclnko6tdwehtewq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
50a40c6d5d6f716a1af1ff170aa99c4c0a21271995d5d14817f9955aabd6aa67
Formbook
5f409d66b5e4403f5c05ff19c88acd96d0ee3a0511c4ebca73abe01ced6eb5b6
Formbook
6f3f99877f8716404854d6dbbb0f47ca698bf84e1968af3b84e79789e6500d6b
Formbook
71cabc7f66e840c073f576ee3051b7e4eb355bc28065a10eb06e5ec737d08221
Formbook
833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6
Formbook
ab7f85f4adde2c79c6c465b22e43f09a8bbba24b47b477ef00c2729ebd6bf268
Formbook
cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
Formbook
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Formbook
f03de9696694c012f89421f28a087a9ce5f67e4a7f4902d4111cb7d2758a2ae5
Formbook
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240115-gsk8tsafam/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
886accefa3c7eef555b52ec3357a2055afcc6b59660077e1e98bf885fc20d064
MD5 hash:
0331cbc97745b8b8d017c13022ebf822
SHA1 hash:
e37375fb8613cc67b4bd7c1e9c6411a1aca7455d
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
SH256 hash:
d5a3bc28fb6e5173b202ac9f3c09e8eadae7a8c27f11cb39a3de0cfa6f0ea6a3
MD5 hash:
453d533ebfc5f55cfca0adcf3cd6f87d
SHA1 hash:
2fc5adf6477cf88be75fed29cbf020aca4b8fe2f
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
SH256 hash:
59a4c0e18385086fddfb144894911693054cd870fea69a7784f77da5381a78de
MD5 hash:
914b8fb7b0c9ef79f7aef2dc1fd454ca
SHA1 hash:
4e2a55c78a7c28a12407bdd7e97cf2f258194094
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
SH256 hash:
ce8a19b65ff62f4ac036d475afa27ba43015b2b31f525c31ba3105d802830e88
MD5 hash:
d7e8f01b4eca6526a630f00cb103867d
SHA1 hash:
3e877aa3496d3f74bb634636fd3ceb5ef41b1972
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
SH256 hash:
b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d
MD5 hash:
9d21ec3819afbf1897814e5e4e35514c
SHA1 hash:
6dcf743d786f17378b979559fe9d46837b889e3a
Link:
https://www.unpac.me/results/68c77152-d93b-485d-bbf9-ba848151595b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b102e9f6cffe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj ecb3fbd42cecf55ea264d65b429d70dfd536ea6700f2b53564fac1e9490f8aae

Formbook

Executable exe b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d

(this sample)

anyrun
any.run
https://app.any.run/tasks/134b743f-1a97-46dc-828d-9308261aa705
  
Dropped by
SHA256 ecb3fbd42cecf55ea264d65b429d70dfd536ea6700f2b53564fac1e9490f8aae
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/470870/
  
Dropped by
MD5 92e5587f04e287edb6c3c0798449793f

Comments