MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063
SHA3-384 hash: 58cb3729b173cc25ff499a30e228652615e0982320e597a40c2a497d9fb5db4698eba3037666b5e4c741e3c92998fb7a
SHA1 hash: 804234acc76dd2b2c6d51ceda2fa8ad3ccce7f1e
MD5 hash: d8742afc457bc151c703002ee73a76d9
humanhash: winner-lamp-oscar-bakerloo
File name:Purchase order 4503466547.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:445'952 bytes
First seen:2022-02-02 18:01:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:5VO7JOT+CiyI/tTmsJmHlrXKEfTPtVkYeL:5VOVOCtTrmHlv7zkYe
Threatray 13'068 similar samples on MalwareBazaar
TLSH T170949DB4A1A78691F40B89B4257CFEA502B330E3E9C60D3957697641CFEDE583F8460E
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/230507/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61fac6e56d25ac9e79fd8339/reports/78c64ffd-0e89-43af-aa34-a447043b8007/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c376470-758c-4148-966b-eafeb9c8b20d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932648
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 01:41:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeldjh2fhdhtbs3tonhvzezmchmcn7hv2cl3pl6rxpdnkcatcbrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
016ffff295ef62f445fc834377c44e8a843a0f11899cb88f9e4e0e05c54bc7e9
Formbook
096f3ff47b6726f118a0c5d11ccd29e49c65f3b3de7e10541b66d90b6212ff74
Formbook
13d4188437fd7caf662393052ef82808bf70cdb5e31fcc2f162ad2dffad377aa
Formbook
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
459c86bf11535b9d62c895a6677a5eb40d8f0cf3136477e5da746045bf3fb6a3
Formbook
4645255a1302be5b36e6814261279dc48d24f03c3a170b0b2efca04adacd2718
Formbook
589713496bc1f527bbccff193646a94b310124f01cd15b36f633a8b7d6686fb3
Formbook
67bf345a4ea3e03b4b58a7d9e47f9d31a93f79fefe4e69067ee6c15250930169
Formbook
e8d3f12a56c28288654561a8061cf6127bd4c6baa4db19ed35faef1bac454335
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 13'058 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:eb4c loader persistence rat suricata
Link:
https://tria.ge/reports/220202-wlwhjshcak/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Sets service image path in registry
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
e9e80f4baa8036b669486e9135d8b728cffdfda7f8593aa6419ef651bb0a1964
MD5 hash:
89bd7369bc6b563cdea8b5f0be88e1bb
SHA1 hash:
a1a5447d5bdd13e69373d3c45266a3494d7b1a39
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1177493-71e9-440f-b5b4-710445168c0c/
Parent samples :
c4d096042c9e65f145f6d066277103fdcba41538ccca8827ac3a503a1088df2b
459c86bf11535b9d62c895a6677a5eb40d8f0cf3136477e5da746045bf3fb6a3
589713496bc1f527bbccff193646a94b310124f01cd15b36f633a8b7d6686fb3
c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/c1177493-71e9-440f-b5b4-710445168c0c/
SH256 hash:
4f98bf2453db5ce83c8fafd950b8d1d805e4ecc7481ca4f08d1644cb3281f406
MD5 hash:
926cc739a1a0e98b493ab33f60e5a3d1
SHA1 hash:
42e1eeeddf788983f4fffa0354ff8603f352c3a3
Link:
https://www.unpac.me/results/c1177493-71e9-440f-b5b4-710445168c0c/
SH256 hash:
c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063
MD5 hash:
d8742afc457bc151c703002ee73a76d9
SHA1 hash:
804234acc76dd2b2c6d51ceda2fa8ad3ccce7f1e
Link:
https://www.unpac.me/results/c1177493-71e9-440f-b5b4-710445168c0c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c916349f4538/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c916349f4538cf30cb73734f5c932c11d826fcf5d097b7afd1bbc6d508131063

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/230507/

Comments