MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e
SHA3-384 hash: 1f1040aaa006eb80e048f440ad4105332dd8089f25c075239606c1cd6eef6c10434b4be5bef08cc586438c165eef82a0
SHA1 hash: 3e6a3ba2dc7380aa3c84acd63a5a44be531ff867
MD5 hash: 8352536a22636ec6ac4efa4a35966459
humanhash: spaghetti-florida-lake-mirror
File name:Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:627'712 bytes
First seen:2023-07-26 05:50:14 UTC
Last seen:2023-07-26 05:57:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Uf2iN2GUL0TXwHEutvqcLEeZydm2qYIAMvyNxyST0hxn9h+8hPpDz5k:Uf1xUL0Tgkutvq/R02x8Cxyjlc8hPZz5
Threatray 3'366 similar samples on MalwareBazaar
TLSH T194D412457ADC1B1AC97A13F66AA195104FF1F99B9131E3182ECB20DB4B23F5112E0FA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-26 05:52:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f86d94cd-daae-4a3c-9c75-f75c042d75a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433341/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c0b446bf0894a95b717825/reports/25a0e355-d4b6-47ae-a655-d5771e727195/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c19f885d-20b2-49b4-9453-35718cd93e7e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1279820
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 00:55:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yg46mj7tx2vi4ns4bpocibbv4lvpi63gjuundqwc7wczxwjxhv7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ac28f2913c6e2d231d0b67b49a3491f4046221a42ca349f586e0532ac257575
Formbook
5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496
Formbook
69390302e6a82cad49f3eabbba2f274a63202c9df899709de1d78d7f8a9a9584
Formbook
6c5d418831206f110eac092468ea4197e3253f3350e48b0986e130995bd46451
Formbook
9202b35448e653781c1e8d04a5f1266e40116832675be9b096034f4e0861c78c
Formbook
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
Formbook
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
Formbook
9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45
Formbook
be2475ea44f278e69a3ac0e3c4e159011d3e44fd79630ea44318c67fae703a2a
Formbook
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Formbook
+ 3'356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230726-gj6heahh8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
73cbce983e9c510a0a1050edfb3d1219760ededde72ee7016eed5acd59453e2a
MD5 hash:
477531adca63f6dceecbd73fc2053738
SHA1 hash:
deef3a708cbcee3859442e71f1e61cb5736e4c82
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
Parent samples :
be2475ea44f278e69a3ac0e3c4e159011d3e44fd79630ea44318c67fae703a2a
c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e
SH256 hash:
5406cc28392692d455c448bd6bb276b25e05e6cc213af33b2fc047b4a6d85a5a
MD5 hash:
3e7dbf2d7739e75368a5670594de6a95
SHA1 hash:
ad89ee019498af9d281ba8ae1fc88ce6e1f7862a
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
SH256 hash:
1bf69033e97a8ad8d59469dd2f1aa57bab7461345e9993acc83afa48029c95ac
MD5 hash:
58419415321b3303da79fcd299874125
SHA1 hash:
a7a4c4fb47ccefd232a543219e2f4e0e12520912
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
SH256 hash:
6b36e714c6fea9cfc93f69bf0d11a82b3e89e17b328cd1a6347e2b69988f69f3
MD5 hash:
9be703e90825a5b803563d6f06da5c77
SHA1 hash:
21b047215ae32bd298ce2a1818fb45d49d813927
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
SH256 hash:
c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e
MD5 hash:
8352536a22636ec6ac4efa4a35966459
SHA1 hash:
3e6a3ba2dc7380aa3c84acd63a5a44be531ff867
Link:
https://www.unpac.me/results/f95e6665-d267-44aa-87b0-17d79a3723d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1b9e627f3be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 86bbccd1e990a5ff3472fb21988d93c7325773410e3072c0ba720c80deee94d9

Formbook

Executable exe c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/433341/
  
Dropped by
SHA256 86bbccd1e990a5ff3472fb21988d93c7325773410e3072c0ba720c80deee94d9
  
Dropped by
MD5 a0cb857b724f2cd0047926ea91013253

Comments