MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa
SHA3-384 hash: 312f2440c6267f676e4546592fd414fe944dacc5257cc0a7b29db7119fffd0d42fd6954dcf9e1c3ac139ebdab901411f
SHA1 hash: d1dc4232c4373c44808a3a2b28ef68d055881989
MD5 hash: 7ef3aab728f19c93e834b543f3819974
humanhash: fillet-quiet-nuts-harry
File name:NEW ORDER FOR 2022 YEAR.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'570'816 bytes
First seen:2022-04-04 13:24:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:zyPY1S+CxVqrA691xFTAhuq/vo0zmazrd4tn5Gf702L4:zp5kw9T5AUip0ny7vL4
Threatray 14'578 similar samples on MalwareBazaar
TLSH T1B0753A1E22868C85FD95DB78E87B1BA01750877649ED9303F3BC2A3DE92B3645F14B12
File icon (PE):PE icon
dhash icon d4ccca94f6c29cc2 (1 x AgentTesla, 1 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260613/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Unauthorized injection to a recently created process
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/624af1afdb9ca5cf841bdddc/reports/f5442111-25bf-4873-867f-cf96665517c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a1b66e9-c361-4a6d-9671-02aa8be006dd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970066
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602558 Sample: NEW ORDER FOR 2022 YEAR.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 51 www.industrybug.world 2->51 53 parking.namesilo.com 2->53 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 11 other signatures 2->63 11 NEW ORDER FOR 2022 YEAR.exe 1 3 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\kay.exe, PE32 11->39 dropped 41 C:\Users\user\...\kay.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\...43EW ORDER FOR 2022 YEAR.exe.log, ASCII 11->43 dropped 14 NEW ORDER FOR 2022 YEAR.exe 11->14         started        process6 signatures7 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Sample uses process hollowing technique 14->83 85 Queues an APC in another process (thread injection) 14->85 17 explorer.exe 14->17 injected process8 dnsIp9 45 hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com 3.94.41.167, 49781, 80 AMAZON-AESUS United States 17->45 47 www.mingpins.com 17->47 49 traff-4.hugedomains.com 17->49 55 System process connects to network (likely due to code injection or exploit) 17->55 21 kay.exe 1 17->21         started        24 svchost.exe 17->24         started        26 kay.exe 17->26         started        28 2 other processes 17->28 signatures10 process11 signatures12 65 Antivirus detection for dropped file 21->65 67 Multi AV Scanner detection for dropped file 21->67 69 Machine Learning detection for dropped file 21->69 30 kay.exe 21->30         started        71 Self deletion via cmd delete 24->71 73 Modifies the context of a thread in another process (thread injection) 24->73 75 Maps a DLL or memory area into another process 24->75 33 cmd.exe 1 24->33         started        35 kay.exe 26->35         started        77 Tries to detect virtualization through RDTSC time measurements 28->77 process13 signatures14 37 conhost.exe 33->37         started        87 Modifies the context of a thread in another process (thread injection) 35->87 89 Maps a DLL or memory area into another process 35->89 91 Sample uses process hollowing technique 35->91 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 13:22:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wspimrzoahtgn6v3lzqcj52alohdyawhmaw3uife3e3vg7n5ph5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b3cc8fa37a26315551dd782174f610fb0da285d843b343e4794334df383380
Formbook
5d73c1ce4d0c8beea33b6eaef76d82e389d139d8e6caa17c2767c70889697c3b
Formbook
638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138
Formbook
67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0
Formbook
9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
ce7e5c68cfe5d7e602c698d10280cd44280e78dfa8ba0b549b90a4ba906ba84b
Formbook
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Formbook
de9fdb344c542595de3ddf65357a6982f0085d0f7b42c1de534c3963134c2cb3
Formbook
f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db
Formbook
+ 14'568 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:w83h persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220404-qnx69sfbg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Unpacked files
SH256 hash:
93bd68a077461e5cb55915d5fd6fafc57829badc8c763cccc7aa36fa38dc60b2
MD5 hash:
23d74ca691de2442bbb81c29ff05c553
SHA1 hash:
97a8b6c3e7daa0adb33a7b62ccf71824c0e1983e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/23332011-f7dd-440e-b2d4-a5275d3de34d/
Parent samples :
b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa
5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb
322dc83c729bef18426974f5ee9043b02674a917f11404b094a5e899375c6df3
519a77b3e875886add3b2e84ac63cb9e9707381fce9d25d79616554d4c6c2287
9504b7d70560189218da2f73a816ed686e6f52373dd025a79ddbc1a0e74cf33c
SH256 hash:
1c4bb1d7860a13e901a8a53a5e80e1b8f7629b704bceed0d7371fc071712f7e5
MD5 hash:
553df024754e559cb7115ac320ee8879
SHA1 hash:
7aa5217f1fb33f5b9f2ce3faa4eb3cb902ac3747
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/23332011-f7dd-440e-b2d4-a5275d3de34d/
SH256 hash:
fd032e445ec6bbcc41a040091e2d73755b0166dd6bf42844bc23ce33128d0904
MD5 hash:
1ad5cc64cacd7a1488b3b488d4b2bc33
SHA1 hash:
e5b7c13a9871df33d1933352776eaf2147cd3148
Link:
https://www.unpac.me/results/23332011-f7dd-440e-b2d4-a5275d3de34d/
SH256 hash:
b0eb6729d5c51d45bf7c992588825a2c1866b3d9c4f14e33e3e7b933814c7189
MD5 hash:
dbcd5a50d0602345a435249d2ba9f6e4
SHA1 hash:
d96fbc8ee278b06b6ecb81b508b926d05c3bffec
Link:
https://www.unpac.me/results/23332011-f7dd-440e-b2d4-a5275d3de34d/
SH256 hash:
b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa
MD5 hash:
7ef3aab728f19c93e834b543f3819974
SHA1 hash:
d1dc4232c4373c44808a3a2b28ef68d055881989
Link:
https://www.unpac.me/results/23332011-f7dd-440e-b2d4-a5275d3de34d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/260613/

Comments