MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4
SHA3-384 hash: 37022206d6c25efa8e36977fbab88e4e4189a8d9bbc0ad7ff3512cbbec622f88e26188791414037931cebddff14f024b
SHA1 hash: 66263a6267d7f2e0d4b370608e36b78fee7e3f69
MD5 hash: 5f3fc233c42ec439a53b8cc88f52d8b3
humanhash: sweet-freddie-vermont-island
File name:z17Solicituddecotizacion.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:687'616 bytes
First seen:2023-12-13 20:17:31 UTC
Last seen:2023-12-13 22:19:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:9EftIeGy+YYUBYsQ/On7JPAogA7Xg19SrsyiJC1VIiti9e+WRySG5X/MXCO:G4YnCsrNPAogYxKHitV+6yS
TLSH T1DBE4232BAB94577AD1EA98383C73422653F49395881AD31B397079BD2CB371013E2F97
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cc0f3355332b17cc (12 x AgentTesla, 6 x Formbook)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
9
# of downloads :
342
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Solicitud de cotización.eml
Verdict:
Malicious activity
Analysis date:
2023-12-13 13:04:05 UTC
Tags:
formbook stealer spyware
Link:
https://app.any.run/tasks/3158caa0-8d14-4174-b45a-3b794acd8f41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467323/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.13036.17959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/657a117d8b5ba47db2e1836f/reports/27ec07d0-9a9f-41fa-b4b1-d9c5240f45b1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/998e03d6-5e7d-4487-abfa-5db7864ff8ac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361727
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 11:13:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjmhm47xmouqlbjub2nczlboyqquhycspbedsnptj6c5vojc3pca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231213-y29ffsaec5/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e6ccaf8022d2357ff69a06944514c34a3beca7dfcf36dd9eda71340635fbcaaf
MD5 hash:
4c1d6064b5e709694f8acb629a6b5ef8
SHA1 hash:
714a2aef5c46d23c1ad4f3e3850887c50a25555d
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
SH256 hash:
b9fa9b1d7c9905851ede233e43297f94bfc9cb511c9223f1897a13a36140c16d
MD5 hash:
db5366bb690034d5195fc30cb96e2cb9
SHA1 hash:
89fe4814947b3206510e7aef16b9771e133a148f
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
SH256 hash:
c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf
MD5 hash:
160f4669c06c6496d79a92ea9d33e89b
SHA1 hash:
baae226fdb2a9739f118db781bdc74f2efc6a585
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
SH256 hash:
3f796fd1ccc930576da3852426204df4a11e7eb965104ccef7b972807b00c43d
MD5 hash:
6bed625638d94a94a4b3b72b86df7048
SHA1 hash:
6aa49fc40d8db7bd8724e6ac77482fa753b349e0
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
SH256 hash:
c0ee807a49afa96b1676fea8e06410f2ba109da6b68f276e6128baa50c8c93e8
MD5 hash:
e55ca6d4e35a69059bb50ea11bf4f1c1
SHA1 hash:
6599347d00deba98c0778700e82af68fdaf50bc1
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
SH256 hash:
b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4
MD5 hash:
5f3fc233c42ec439a53b8cc88f52d8b3
SHA1 hash:
66263a6267d7f2e0d4b370608e36b78fee7e3f69
Link:
https://www.unpac.me/results/f4021999-7f1b-4329-93fa-afc29e3b4f1c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2587673f763/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b2587673f763a90585340e9a2cac2ec42143e05278483935f34f85dab922dbc4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467323/

Comments