MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e
SHA3-384 hash:	3dda16fbf7073e89f8dbbcd8cfde84161efc7cdc0b312b9cd6acd2c386d4f503a14719a76e70db23dcf2cee9d099bceb
SHA1 hash:	6704b7e7022b31053dc6389f946db8505b5681e6
MD5 hash:	5e3e9036788808920a3ca6c8943ed407
humanhash:	network-single-football-shade
File name:	r5月帐目和发票.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	656'384 bytes
First seen:	2023-05-11 10:32:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:TYvasUQMHx8s+rck5kOGNMx4Dv1xMc1sH+p0GpyGsa8Tp4VolYYWWjp12wl5Obps:TqUQmJ+S9NMxyvta9GsaLiYr0vz4pud
Threatray	2'811 similar samples on MalwareBazaar
TLSH	T10FD4DF48523BBFE1CAA817F0261434434B7DA11A74B8E0BCBD5B74C9C8AEB115BD4B67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3571413931695171 (5 x Formbook)
Reporter	FXOLabs
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

265

Origin country :

BR

Vendor Threat Intelligence

ANY.RUN

Malware family:

n/a

ID:

1

File name:

r5月帐目和发票.exe

Verdict:

No threats detected

Analysis date:

2023-05-11 10:32:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e0f81a24-efa4-4278-b16a-ec4b7b2344d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Formbook

Detection:

Formbook

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388395/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645cc45e0516095d50d3ce8e/reports/630789c6-f0d9-4e83-bdf1-572d32bb93fa/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf2cb4d7-aed0-4749-89cc-f5b006e787fc

Joe Sandbox FormBook

Result

Threat name:

FormBook

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1230729

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.SnakeKeylogger

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-11 07:08:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

11

AV detection:

18 of 24 (75.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x56qkbrhu67wpllux3lm6fm5gdeiii5bydxvh6p5zafws57htwpa._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea

Formbook

13787d324c97537e5d73a1a3a0c72cdd35c2fac0c89b95589cc0fd275329a3a1

Formbook

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

Formbook

3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00

Formbook

52582001ebe2883d2f5b20f0de69b42c27aef25ec30e09e1a294b9ae2c8131c3

Formbook

a1fc12e0b11dc727c1e4f58da908d512b2ea1fb69cc317e024390440807d62eb

Formbook

abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e

Formbook

d52990c3733f37b8d26a05d7db3864d5815bdfe6ecbaade840b81402e3cc29e7

Formbook

f508b66b3b6398f2a4d73ecfd057ab0804320d523e09feefbe59ee33b1124508

Formbook

+ 2'801 additional samples on MalwareBazaar

Hatching Triage Unknown

Result

Malware family:

n/a

Score:

  3/10

Tags:

n/a

Link:

https://tria.ge/reports/230511-mkzzxaeg7t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

UnpacMe 6

Unpacked files

SH256 hash:

5bf082285db878674889c745705747b6baa2e2780b9c6562877aaf62d3faf99f

MD5 hash:

e5dfd73907860d46379d7b5080a11d38

SHA1 hash:

f70fe8895457dd33762677dd488a1bae43cbbb4c

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

SH256 hash:

ef7e491d05f2be746f1d82c124eef013037f32a23ec918a12b48bd5e1085906b

MD5 hash:

4632ce7d13d6d8ef78e8a56e101d872f

SHA1 hash:

85010cb551b2212496cd0f7f3df8418454237afc

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

SH256 hash:

30991c7c1844c8dce06164a72c2d0d91bea6074a9a28c3fd57cab18a7ccc2d7c

MD5 hash:

8eae3230cff8c9ca23c41bb18e5215d2

SHA1 hash:

c9fc102e3e2315bc0346a83d151634298ba8f1ed

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

c72ca892abebd8794a9544913d071c3c91356f5075509717727e180e87cb98ba

MD5 hash:

25383385b11436b817ed4dc0419f4e24

SHA1 hash:

9441f35f45a30503ebb2c717209f29341b5b48b6

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

SH256 hash:

bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

MD5 hash:

5e3e9036788808920a3ca6c8943ed407

SHA1 hash:

6704b7e7022b31053dc6389f946db8505b5681e6

Link:

https://www.unpac.me/results/876bcadd-017e-4282-befa-ce2bebf60a98/

VMRay XLoader

Malware family:

XLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf7d050627a7/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388395/