MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e
SHA3-384 hash: a9b46ef71c1cdf034d2597150780edd70c5c1804d16fcd3fd553f2564d81b2d0951e43b8be7942c16ef1eb514889c13e
SHA1 hash: 19f6cf2373063c6681543097ff8349a64f3f69b4
MD5 hash: e1a79752a7fb2cdd97cc6ab44c04e426
humanhash: carolina-cup-mountain-hawaii
File name:Order List 1009362.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:827'392 bytes
First seen:2022-11-15 11:36:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'458 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:PRr1XaHMtYiL5u3yz0SceiXfcktZEtWegwH8U:JrBQg5uC1aUoEsegwc
TLSH T12005125AF323FEE8D52943B929319D222FB1980A99ACCD7D1C8533AA4C75743025BCD7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Order List 1009362.exe
Verdict:
Malicious activity
Analysis date:
2022-11-15 12:00:29 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/eeb3a2a6-cebc-468b-9a71-7e9d53f590e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334232/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46272.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/637379f407c3f5e84a01404f/reports/ba0e5f33-3a95-4dd6-8f92-c7a089bb120f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8f52477-6188-4d20-983a-ed44cdc059e1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114238
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 746933 Sample: Order List 1009362.exe Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 28 www.wohuaiyiwocunzai.xyz 2->28 30 www.queenlexjewels.com 2->30 32 7 other IPs or domains 2->32 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 9 Order List 1009362.exe 3 2->9         started        signatures3 process4 file5 24 C:\Users\user\...\Order List 1009362.exe.log, ASCII 9->24 dropped 12 Order List 1009362.exe 9->12         started        15 Order List 1009362.exe 9->15         started        process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 12->50 52 Maps a DLL or memory area into another process 12->52 54 Sample uses process hollowing technique 12->54 56 Queues an APC in another process (thread injection) 12->56 17 explorer.exe 12->17 injected process8 dnsIp9 26 www.matthewpmansfield.com 154.89.126.83, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 17->26 34 System process connects to network (likely due to code injection or exploit) 17->34 21 control.exe 17->21         started        signatures10 process11 signatures12 44 Deletes itself after installation 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 09:00:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm6ay2w7laqbo67c4scmdavte5jflqan53ydm5s4df7ixyfu2fxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gvv5 rat spyware stealer trojan
Link:
https://tria.ge/reports/221115-nq66vahd8x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d51a4f6-52a1-40b4-b4ae-4703519b8130
Unpacked files
SH256 hash:
f956ac6be8688dc38e5cda8afd9d1954f2ff3a0c425873e512c1379596636716
MD5 hash:
d4b40aecef4473fb325d65035f2ee152
SHA1 hash:
ebae8a2123fb1e6dab938cfe715ff0a644b49616
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
Parent samples :
1d2541a6fdac8e1f716e4004df05c2658453b90cc19883816d9ff890e8e09ff6
ab807ccbd4ed120b1ad69084ec0cf6780e21a5ba69ec1a1614beee32476bc29b
cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e
SH256 hash:
c0e1bbe2304d89804673b63a17416041e299c2773aceec70759f1094829b189e
MD5 hash:
47c9aaa4eef6e3ace27ccbde29a5c848
SHA1 hash:
dfbc78c9b2ad768bb8946cd2d12e389258329a9f
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
4bb714135c8504247c568eeb99e97bd0d451b127db8cef9c00284c3704c95672
MD5 hash:
59fe26421c30e9ac94901b4ff351d130
SHA1 hash:
a31a5c721e902cc787de7e76ffb5351bf13359de
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
0bf8b5217a7d97266987c5a1e4411d9eda0098ba2455bf42b4b9c198779612dd
MD5 hash:
dcf20dbb64fbade34cc59e4160276773
SHA1 hash:
ba91d07a17225da22e2d5974d5187f5279d1bfb0
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
32437f0558b775b02b61b4a526380d7dc11b80bef145863ac44e29a8ddda9572
MD5 hash:
774e916f131a068bbe99fa34eaab56d6
SHA1 hash:
4e17e3c98aa849f58bb8e1f1638f3bb80c34d45f
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
SH256 hash:
cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e
MD5 hash:
e1a79752a7fb2cdd97cc6ab44c04e426
SHA1 hash:
19f6cf2373063c6681543097ff8349a64f3f69b4
Link:
https://www.unpac.me/results/d31f02cb-e6fa-4103-8f94-735bf5041a1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/334232/

Comments