MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde
SHA3-384 hash: cbdc13e08f9d4acccb6baf6c42dd355fa8d137c1e3673f1d1b3c1faeea22835300c3723e7854019a01c837cce82436bc
SHA1 hash: f0c8894043fe99c5a7495753a729a1c0a29f5486
MD5 hash: 6e5ca1f37b8648039bfafdd8cb1e822f
humanhash: dakota-oven-robin-west
File name:m2 Cotización-1634.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:757'760 bytes
First seen:2024-04-22 16:47:21 UTC
Last seen:2024-04-23 06:38:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:S/BUkhF9WMBjYyciD7g0Zl8Xns7nZ19fwbg3xoTMrmhPMNlG+aoeXyDT:SU02MmniDnlWnsjj90mBqVMNlG+4XA
TLSH T159F4F11112A8C36EE79057B0F8284539437683CC3626FEE1DB52B4EA3E13B06595DEB7
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon a4d0acacecf87a98 (2 x Formbook, 1 x AgentTesla)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
38
# of downloads :
412
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde.exe
Verdict:
Malicious activity
Analysis date:
2024-04-23 05:14:35 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/a7acb974-d871-4d58-9571-32c966cb7a6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
shellcode
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b25055d-72e6-4430-b77a-7ccfbfcebcb8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429844
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429844 Sample: m2 Cotizaci#U00f3n-1634.pdf.exe Startdate: 22/04/2024 Architecture: WINDOWS Score: 100 32 www.splnentoat.sbs 2->32 34 www.solar-windturbine.life 2->34 36 15 other IPs or domains 2->36 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 9 other signatures 2->52 10 m2 Cotizaci#U00f3n-1634.pdf.exe 4 2->10         started        signatures3 process4 signatures5 62 Adds a directory exclusion to Windows Defender 10->62 64 Injects a PE file into a foreign processes 10->64 13 m2 Cotizaci#U00f3n-1634.pdf.exe 10->13         started        16 powershell.exe 23 10->16         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 18 cKYLJWmBCqndA.exe 13->18 injected 70 Loading BitLocker PowerShell Module 16->70 21 conhost.exe 16->21         started        process8 signatures9 44 Found direct / indirect Syscall (likely to bypass EDR) 18->44 23 fontview.exe 13 18->23         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal browser information (history, passwords, etc) 23->56 58 Modifies the context of a thread in another process (thread injection) 23->58 60 2 other signatures 23->60 26 cKYLJWmBCqndA.exe 23->26 injected 30 firefox.exe 23->30         started        process12 dnsIp13 38 www.kattenlomera.cfd 109.123.121.243, 49717, 49718, 49719 UK2NET-ASGB United Kingdom 26->38 40 hellwich.info 81.169.145.105, 49760, 49761, 49762 STRATOSTRATOAGDE Germany 26->40 42 11 other IPs or domains 26->42 66 Found direct / indirect Syscall (likely to bypass EDR) 26->66 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-22 15:09:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ya46feheu4hotxynn26muq2wo3dvrivguc7xgtgdp7hirib5jppa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240422-va3l2sde76/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
67d443dc52be8c0eebe8a28076e9ef07dc40b87355da84e231a7d4d891c9257a
MD5 hash:
4c77df0ab09787e310619bd9ce28de32
SHA1 hash:
a2bcd9a34dffd594c9d9eaf23655d5c458211ab5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
2140d71e447e3ba41e36a32cb2a2544440841774eef5739802236f5b109aad8a
MD5 hash:
8030a8f85bd280af5ad39a0c9b3c7324
SHA1 hash:
052997eb1e64491dcf1be104a66ee7a8ebbd4062
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
0d9a47ec6948f01cca82e31b0a62bf4e1829f831bf040a2387e799a7a3b8f407
MD5 hash:
61d430896f0bc519d3f2c5c36ab18c1d
SHA1 hash:
f101a7a61e9e1eabc6cbb80bf4585edebcbe3800
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
bb5c6a6f28c46a57755b3e26cde383cce844580b1e3e32942e04142367558539
MD5 hash:
41e1d0826beabfa8f86f0127d9698c9a
SHA1 hash:
a3c8653503e82ba623bab5b4ae9553c9584a371e
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
3fa0e73845e326b338b8393c4cad1d5c3dde1588b02811ad37621fe744fcae00
MD5 hash:
e1706fa993408403e49ae06447f00c24
SHA1 hash:
901ee3790d15a28ba86d221501e86e5c30c8ac66
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
473180c69d96b9b8f677979edecf987994c27b718caa05586275ef427fde0065
MD5 hash:
01bc45aee6e44f9758505302d0c5c6b1
SHA1 hash:
cbc458a3d439fb2426f9b4a02324a9883190fdb1
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
f188c53a34a5eba3dca9f9056b68ee29c6f888e1596038aa33da358f857a493d
MD5 hash:
dc7c6047365b9ff87d93c5f3c4ca015e
SHA1 hash:
ada06885160910549dfe36ac14599a70619b396d
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
76ce5444977d3670144704d1b71c0fe1142c663ccd94a3745f86ef23b83f3a0e
MD5 hash:
529c980cc860d4625ff7cf9b092273c6
SHA1 hash:
ab49c925971991769296999760256c946680453b
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
87a0a15608b5fa06c57c996af560ab4c497884d8dcce62c2d91b201bd7bb033b
MD5 hash:
0b4814a96a49a29c259ea57f6974fe34
SHA1 hash:
5b05d609b051c9ef30995cf98816c360d654dfa9
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
b1ff579ddec2b612a3e8fa26b377305a415d14d55eb194f10751ed0a03c9d056
MD5 hash:
196d555aec005ec3eaee6ff128fed713
SHA1 hash:
4175d4ff00bc3918dba220f521220e8658229430
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
7ef63fd04d8c895de95db2247e5502f28a3bd01f3b338c561b5e9a3d0dea8927
MD5 hash:
ec75598d42ff41fc05b20f78c03fa6bd
SHA1 hash:
0638758b8950acd5e58ab4594e236e627c3266c9
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
SH256 hash:
c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde
MD5 hash:
6e5ca1f37b8648039bfafdd8cb1e822f
SHA1 hash:
f0c8894043fe99c5a7495753a729a1c0a29f5486
Link:
https://www.unpac.me/results/8c322365-cfcc-422c-8ae1-b066886267d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c039e290e4a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 770f4428f2f3a5116387a7be62d26b64c214dfad7e670a9f06cdae28cb4909f7

Formbook

Executable exe c039e290e4a70ee9df0d6ebcca435676c758a2a6a0bf734cc37fce88a03d4bde

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 770f4428f2f3a5116387a7be62d26b64c214dfad7e670a9f06cdae28cb4909f7
  
Dropped by
MD5 2d10f5b89dca48dda87e6af1a0071649

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments