MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
SHA3-384 hash: 73d54a8a9e213961f04e92727bb4ffa34d486b278da35bacd98fd2062ed397eb90aed42feb6f2415146fed66ba84caa8
SHA1 hash: 37d1e1254101eadcd3d4507dcf8917c163589dd1
MD5 hash: ba12e92e34460bcfc923dfbc872335a7
humanhash: nebraska-potato-beer-robin
File name:Purchase Order 10924.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:775'168 bytes
First seen:2024-09-10 05:23:36 UTC
Last seen:2024-09-10 05:56:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:CA1+vOFyrZxDSSG9AgoiiKMcp819pITrAWXzC7ClJFtGe341xDcdS9:CGf4SSGigoiif9pI4Wt5RUxM
Threatray 18 similar samples on MalwareBazaar
TLSH T1B7F412557254D943CBA907F50839EBB00BBA3F6EE011E3CA4EDAECD73880740A954B5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon c80e173333170ec8 (7 x Formbook, 4 x AgentTesla, 1 x MassLogger)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
442
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase Order 10924.exe
Verdict:
Malicious activity
Analysis date:
2024-09-10 05:24:45 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/140db404-60f4-47df-81b8-b8caf604db5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1827.2686.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dfd7f5751db35a8b9f636a
Tags:
Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66dfd7f5f13dedfc44744421/reports/e8343a6a-13fe-49fb-a425-db480c8c8e5b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1f6416c1-2cfa-40c2-bbc1-5d3cd630a734
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1508422
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-10 05:24:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjdkbaneywtilehvh4xhkzfhodpt2kvbmjzpjhxcvuwsxctncacq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c8b43fd65a13e27fd960fc1d5995c9e0dc63d4c80803fde0e4505de86a3186a
Formbook
3efc2b27292ebddae979c22e9d9098832f35faa1c3403ef58f5b20e8e1e2f0c9
Formbook
5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7
Formbook
790d513dba5e0953168860be69f6349f5f97fc91a44848964f4dac9c9b81a579
Formbook
db0f9627eb6f6d633f7211ce94d2ab53277140634443909f78b96a7b18c48b9e
Formbook
e964192f47b1128e8e99ac2ef07ddeb1edaa662f426925989addde2b04833b9f
Formbook
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240910-f3p44azdpb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c41f602f-8825-4d69-81e6-39adcb9e09d2
Unpacked files
SH256 hash:
bff286f985c22b56c9a653ac87df8f5c45051c63aee3f995ea0f937ae2faa22c
MD5 hash:
9b7abd2ff2fdcf612068ac28b7a2cd3d
SHA1 hash:
bb98e052dee85287d71fc2bf8c6314b7a4fff096
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
Parent samples :
2c8b43fd65a13e27fd960fc1d5995c9e0dc63d4c80803fde0e4505de86a3186a
5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7
b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
f4bd1f9dec0127be05780b194dba31eda1a4882ec5df8e46c93aa6b58a5f337e
df3c78262e1d216441fe9888920c87ee92fd963b4b3823e3e99b208b8b5b6101
7a54497b3213ca0a232b8483c0f23046b9d51a6c9816f768ec30094a72c47a9a
aba7d28fae8686990a87616f3a8b688865bfaa9bfaa0b85a3001c49ed5f3cd43
SH256 hash:
de9a19e98075663d459f5af6dee73ea137d7e80b924f2857dbc96a7f4fd449fa
MD5 hash:
aebcb745b8ac53dd84499e3e54e49092
SHA1 hash:
04634b789823299495ba2a3fbd7923347e2df0be
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
SH256 hash:
769e0bf3e997bbb7d70322fc3dea9d8f167847b9262a35246dcbf9e1169b45b6
MD5 hash:
59a95cbe93818b6b7172c2e17234416e
SHA1 hash:
7c44bacb857916b1b2307d822fcf3f92a3902fc7
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
SH256 hash:
4a844a552e5136be08709746c869052d2934ff487ab8b01482ba08dd35e4c92b
MD5 hash:
ee8e0d215130074a4177769f9263feaa
SHA1 hash:
42b3e7d3aee1887750359f6b79aa93b9bfa25854
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
SH256 hash:
c59a72e874640d2d2c5669edc14fdeb82a72cbacde61679907d2926b8ed79d08
MD5 hash:
b37fc99b846edbde0d0f36bee1760849
SHA1 hash:
0016396b048dcbda5b87742c32678f706db6362c
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
SH256 hash:
b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
MD5 hash:
ba12e92e34460bcfc923dfbc872335a7
SHA1 hash:
37d1e1254101eadcd3d4507dcf8917c163589dd1
Link:
https://www.unpac.me/results/d8dbc3fb-37f8-40a3-b44b-5fb8671a1087/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b246a081a4c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments