MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753
SHA3-384 hash:	a990ed946a9c8fdfa8d7291b12c0c29c5232212003bf60301519fb0f24b045557a163738631e7c4e8e846c86494e525a
SHA1 hash:	7ed94ccf6d6b42e373c492f6df2bca92a8c2f190
MD5 hash:	7d7fa5bbd40333dc8d2987e91b119c9a
humanhash:	beer-princess-massachusetts-zulu
File name:	Supplies Quotes 1029837.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	709'120 bytes
First seen:	2025-02-05 07:19:24 UTC
Last seen:	2025-02-05 08:57:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:7lEmfEoZ9E8c7jfn/YpfsEDJpHNk7s3BB874BdGjQCSz0R8Khzn3P/:7vMoE8cvnYJ3JpHNMs47MgQVFKhz
Threatray	2'103 similar samples on MalwareBazaar
TLSH	T1D3E412CAE83A6659CA0C067AC152536D4D74FC27B0DBF2990DCD7EDB0D26AC0D0A69D3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	e0e698a08088a888 (20 x Formbook, 6 x AgentTesla, 3 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

476

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Supplies Quotes 1029837.exe

Verdict:

Malicious activity

Analysis date:

2025-02-05 08:09:21 UTC

Tags:

formbook stealer xloader

Link:

https://app.any.run/tasks/5b84eb35-c031-4615-88ef-246024122470

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3215.2021.5754.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a3124951193558eb196d1f

Tags:

trojan virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/67a311353524f70142d29370/reports/8b7bce26-2a39-4155-8267-90743aa3d242/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb43126d-8e4a-4861-8edb-7d843a0ebecc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1607206

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753/

Threat name:

ByteCode-MSIL.Backdoor.njRAT

Status:

Malicious

First seen:

2025-02-04 05:18:42 UTC

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xzujnb7tdpnond7gmydiam6dzi3mefu3wj5uu7huhw3rqjwle5jq._file

Verdict:

malicious

Label(s):

formbook

unknown_loader_037

Formbook

1feaaca78e40c551c0029fa1839ceb0d36ad12dfdd7013440736b71e6ff4f33e

Formbook

683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9

Formbook

78e8787616a4d7be2eb5c127e75e3326de2c3e2dbf2a2533163f9594c0214b16

Formbook

d24759c2da85654f95e71923c3b6a4ed23aee296e4fd70f436ee3bfa190647c4

Formbook

error

Formbook

fa3e852fa9dde2dde0c1e2254f81059f8c2f1088596e0fb9aa2e37583c26ead5

Formbook

+ 2'093 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:i62s discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250205-h56wqsxnfl/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c26e15db-d68e-4730-8fc4-e5125a55d312

Unpacked files

SH256 hash:

be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753

MD5 hash:

7d7fa5bbd40333dc8d2987e91b119c9a

SHA1 hash:

7ed94ccf6d6b42e373c492f6df2bca92a8c2f190

Link:

https://www.unpac.me/results/4ca8a477-889a-4787-ab89-75a06f5b41f1/

SH256 hash:

97ad8d98aabf95aafcbe31c443c519133c3001c93b6b1e469f415f0369da0789

MD5 hash:

bde5b484bd1df65de78d135ab525400e

SHA1 hash:

2b1dd4754a861a0583581386928c169a355239a5

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/4ca8a477-889a-4787-ab89-75a06f5b41f1/

SH256 hash:

dbce0a7d23268c7c58c144a1294fba60bacbad7f67e1754e3c022de1ca909d95

MD5 hash:

aef8c1b0209b5d61f2b08897b8f3ce70

SHA1 hash:

560656334cab5de9582b39cff2247e590e4c159e

Link:

https://www.unpac.me/results/4ca8a477-889a-4787-ab89-75a06f5b41f1/

SH256 hash:

713e2b561d32ab9ba4e8239f1887785363f2f3c9a618967c0d083cb94da1f411

MD5 hash:

a98ef02f34c557e92592cd40a9ea9e77

SHA1 hash:

c88752dbe04f709956f8305bcb312f386f742dbb

Detections:

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/4ca8a477-889a-4787-ab89-75a06f5b41f1/

Parent samples :

cdb3229e64d90c75e9205357001b037333e36ecf141098dab1971d82cfa238ee
009ba20b8c436d6b47e991e7a7f5afa3999f34096b3ee207fed916ab53af7c9b
d24759c2da85654f95e71923c3b6a4ed23aee296e4fd70f436ee3bfa190647c4
762bfb4d60c0f58658f0f04470856ae4305c4d1f7d1f3fb9c053cbb5f15fd57e
be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/be689687f31bdae68fe666068033c3ca36c2169bb27b4a7cf43db71826cb2753

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample