MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed
SHA3-384 hash:	b1e3abcb490455d1748bab191fd1c5302cf82cd0f2cdd3504e31ecf5d85964c94d1e210ba0d6b36a8f22a7d83217e104
SHA1 hash:	ffad234dfc77ff46bd7872cf469823cc33c719c0
MD5 hash:	daf38969ea84ef75b59a19518ecb825c
humanhash:	five-ack-vermont-angel
File name:	shipment document_for your review_2543846930.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	747'520 bytes
First seen:	2023-04-20 13:12:24 UTC
Last seen:	2023-05-13 22:57:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:uDiE3lkHMH91DzZZlEOfaNbv6dxx99WKvkdsua9cFcPVl/4A/pH:uDlkHMd1DtXANbvkt9WKusuhFcPVxVH
Threatray	3'298 similar samples on MalwareBazaar
TLSH	T1DBF4E095B766D752C2683D3D81D621282BB199C7F426CA3AFDC9114D7E23BC91F8038B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0070696969696000 (12 x Formbook, 9 x AgentTesla, 5 x Loki)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipment document_for your review_2543846930.exe

Verdict:

Suspicious activity

Analysis date:

2023-04-20 13:12:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1693372e-f91d-41ef-a2f5-fdc324b709b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/383774/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64413a5f5cfa4694c2d82486/reports/a9c314c1-bc2f-4608-9e81-2a5219601c19/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9db3dd6f-79a8-47e6-b0fd-3224a573362b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1218044

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-04-20 02:49:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 35 (37.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvah4zsfhyansy3icivr3b3bzgk2uouwa2mv3pkg5qlctxv3ddwq._file

Verdict:

malicious

Label(s):

formbook

Formbook

08e9b87ddb401b7d06928ddc9034e7057b57667ed2b3c2f4b8ec9209aeaca055

Formbook

0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e

Formbook

187e9a262dac093e04914b16b11f41adec97c3115f4a6b5e5cf1125d2be8eeca

Formbook

23af85d9373c400f00f17590112f4545c9a522427bf6e1de80dcb028b8538bbd

Formbook

416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee

Formbook

9c5a321ef423a10c264e0bc599091753b279c557b18b2f655bcd4eaf7d883ee5

Formbook

9d4c77bd302c7e10db596ec2584943791c5c70038014fd786735cb0f4e2b931a

Formbook

9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65

Formbook

dea2eee60b2f932557806044485e6ed4dbb1369acf6a28880251ffcdd68d80b5

Formbook

+ 3'288 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:c29i rat spyware stealer trojan

Link:

https://tria.ge/reports/230420-qf3f1sca4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

257fc20e7d669ad99b02171c3ad8e283c15a03f37353b86dfc9ce7f97a2e83f4

MD5 hash:

5ec006776d581c467571140ae88a8fc5

SHA1 hash:

79146bdccbcdd91c70ebab114e202ee8b611c2b9

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

Parent samples :

2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed

SH256 hash:

b7fee19bc82c437c1a7193519a404cf79457cdd81888d3ad6c495fc697fbcd4a

MD5 hash:

449fa1bef19b8218fdc40c354910efbf

SHA1 hash:

ccdfc81d524168c9ff4951ae09f598c801451b9f

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

SH256 hash:

c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0

MD5 hash:

da56041df789c24cb2a36a364431f766

SHA1 hash:

876e6c579d1092a76ce90c500c43af0cf11724a4

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

SH256 hash:

5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2

MD5 hash:

b3bbc5461d12f07ea893bf415dfe7c89

SHA1 hash:

40c3156c471d2afe3fd88c7d20cf93e5782e1bd6

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

SH256 hash:

6dc2491ea9c83f3bee23ed12690f4a3dc7da4f5b32b1eaf83f7b914296f1ac74

MD5 hash:

97b82a6fdbdbbdab1523a46d55a4e12a

SHA1 hash:

0294d995dbbe15a9c68819a545c52cf47817f18c

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

SH256 hash:

bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed

MD5 hash:

daf38969ea84ef75b59a19518ecb825c

SHA1 hash:

ffad234dfc77ff46bd7872cf469823cc33c719c0

Link:

https://www.unpac.me/results/074b9ac6-7f58-449d-9518-4c165cd9c119/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bd407e66453e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/383774/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample