MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
SHA3-384 hash: 0f2fa34da87bc34ec69a0c404660ea0946f1f94d600a879b184642cd4f860eb80d50c5dbb99458e8fd42277269be8b10
SHA1 hash: 2ed3986138b55414c7400e0cfed4228022343eed
MD5 hash: 88d5497700f291953554b840805876b6
humanhash: april-alpha-west-missouri
File name:DHL consignment number_#800595460.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:617'472 bytes
First seen:2023-11-08 07:46:24 UTC
Last seen:2023-11-08 09:20:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fk0meL45Mric5c2VZsXYDG8iqYuilr6M6FraAXX/NMU96vcu4uhLGI4bm:f7LscI4G8i4ilrh8rn4DhLc
TLSH T187D4232C724C0167C9FD87FFC4468B208B3241176B72D7AD4984B2599FBBBA11C867A7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4432706969b2b030 (3 x AgentTesla, 1 x RemcosRAT, 1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20849.23159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/654b3cfe993fbf888b69d24d/reports/3d0ce028-2016-496a-8bd7-fdb1f5fc593f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9519a84-e740-46c0-8692-eb52aa8dc812
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1338812
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 02:23:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xedwisr3wsq3tqe2suqfpk4mtpghcepc5embcxg76cltkga6u2rq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231108-jmjh6afg51/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
c8f9c3385d64a970f7df88314135683a49498349305832bbe82e34d38d2d7324
MD5 hash:
46d9ee8f5276edf2717401b6a50970cb
SHA1 hash:
39c80b49ef97189e8931797f06e3179667fd88c6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
Parent samples :
3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9
1cc327be5ca8d7bd4cd244e9cd90454611559df4e971c3bd6649682413582c1e
b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
98960970f0139ec424e7fca3946aaa1bcfaf853996d1ee9eb72966f750a81136
c17b3e778d12a1b353c665515c1de44df04d6172f0448b62c9cf6dd9e44bb6ca
220d35d385349e3abbaece7585c05e1caa1a7bf9117aafae75c72b94e116ceab
SH256 hash:
d05893b7f6f8e80de00ec14432669d61fcc0e3e84d1a8235e6c9207a2fecc650
MD5 hash:
5fbe5d27b6cbcb98066b83b977bcf634
SHA1 hash:
bfe5828699cc8d7b30f878dfbc3c3d803b9ef138
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
62757af7ce2dcfe188245dd26d85e233c2ded82311c600c7c8ec83c8c8a071b2
MD5 hash:
804cc8416b7db140f03d251ca3abbf00
SHA1 hash:
1a1160f7db639606a1046b555b08a43035aff960
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
06e3cf2445b59be290e87fdbc508edf02c3f0cbe8c8027af7aa7ff70194b8602
MD5 hash:
19957eec122b9312c27acfec74237657
SHA1 hash:
0c63610cfb2bd4c98b930cd052750437a600f0b0
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
10752f3a3b16ba77b3031d416e830e3b67486a0dd30d73884ed7be1efb680549
MD5 hash:
41662007886c87af9362432dae6e7cd8
SHA1 hash:
79cd6d5cbc8a599bef0c3bbbd7cf0faa4564a439
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
6c7116f4eface92e38ce1a2b42086532868a064514a19dc34660d82270af22ac
MD5 hash:
b33c7b2e0009adaa5228afc060bc5b7b
SHA1 hash:
47e73aba2c68432aa024934d023f926b706cdf2d
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
0af6f5b641e543f778a29b0835b74cd9382e539ad217c03d547142229e3c1daa
MD5 hash:
29298a2bd957bc02831a27c8ee38cb32
SHA1 hash:
2c1b4c6fd7d8e76d3ea9f8ec2f49fcc2a31b7932
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
7eb6d72972a0739a9a7ac7f0d1cd185d13ee50dfe23414460ff74a4feff26b83
MD5 hash:
829b24acca937af2bf3c14e51f394934
SHA1 hash:
23967f72316fefdc20deea492a2aaf8efb436ed7
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
4328c283155e93ca741b87da7d87182c279df36e3aff796bbc78defa5c6c4f0b
MD5 hash:
6fa08b94d195034d2afa05b12a84068d
SHA1 hash:
1a200d49fdc795014b416aa809e30e53e48f5e83
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
d940c13b84320c68382b2dc80a25f6f6575c44630d4d5159ad677f61c1449147
MD5 hash:
fde6e7c62614898f6842a4a8b9a6fbaa
SHA1 hash:
12f1cb31d31263e527dfbca2a3fb738262429557
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
SH256 hash:
b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3
MD5 hash:
88d5497700f291953554b840805876b6
SHA1 hash:
2ed3986138b55414c7400e0cfed4228022343eed
Link:
https://www.unpac.me/results/77dc6669-7d27-4737-8fef-b7ae835160e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b907644a3bb4a1b9c09a952057ab8c9bcc7111e2e918115cdff09735181ea6a3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments