MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944
SHA3-384 hash: f15ecb77bf9d7ab588e499210bbbcf8744bdead26201bf9c1eb76e31351842b1d163b81902bca01739b3b1d07e12921a
SHA1 hash: 0465630ce40cd3eaf1e9f92daaccc16b9c3241e7
MD5 hash: bb06ed23d87e32af51577a5c513154a4
humanhash: johnny-mockingbird-yellow-juliet
File name:PO 4500118077.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:411'648 bytes
First seen:2024-08-18 16:19:33 UTC
Last seen:2024-12-06 08:47:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:zmb3/3zvZ74J5spMIUYYKUeq7a/WUuufBvRiD5a:2v54Jq1B6L7UuupA
Threatray 2'121 similar samples on MalwareBazaar
TLSH T1D094CF0D0BF844A4E9FE8A7489B1402887B0F55B1963FB7F538060F99E23BA59D42777
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
345
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO 4500118077.pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-08-18 16:20:50 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/a1caaecc-962f-4194-a4a3-0af8102549b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3366.2312.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c21f33b35234d5cc66047a
Tags:
Generic Stealth Msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
90%
Tags:
masquerade phishing vbnet
Link:
https://www.filescan.io/uploads/66c21f3555c081148cca4e9e/reports/ac918a7e-4185-436e-9a64-9b49baa718eb/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ceff6bbb-60f3-4a62-b6d4-fc5f68b96f34
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494554
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1494554 Sample: PO 4500118077.pdf.exe Startdate: 18/08/2024 Architecture: WINDOWS Score: 100 32 www.bo-2024-001-v1-d1.xyz 2->32 34 www.duangendget.store 2->34 36 imgurl.ir 2->36 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 14 other signatures 2->58 11 PO 4500118077.pdf.exe 15 3 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 32->56 process4 dnsIp5 40 imgurl.ir 185.49.85.22, 443, 49730 ASIATECHIR Iran (ISLAMIC Republic Of) 11->40 30 C:\Users\user\...\PO 4500118077.pdf.exe.log, ASCII 11->30 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->70 72 Injects a PE file into a foreign processes 11->72 16 PO 4500118077.pdf.exe 11->16         started        file6 signatures7 process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 16->42 44 Maps a DLL or memory area into another process 16->44 46 Queues an APC in another process (thread injection) 16->46 48 Found direct / indirect Syscall (likely to bypass EDR) 16->48 19 explorer.exe 20 1 16->19 injected process10 dnsIp11 38 www.bo-2024-001-v1-d1.xyz 188.114.96.3, 49743, 80 CLOUDFLARENETUS European Union 19->38 60 System process connects to network (likely due to code injection or exploit) 19->60 23 cmstp.exe 19->23         started        signatures12 process13 signatures14 62 Modifies the context of a thread in another process (thread injection) 23->62 64 Maps a DLL or memory area into another process 23->64 66 Tries to detect virtualization through RDTSC time measurements 23->66 68 Switches to a custom stack to bypass stack traces 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2024-08-11 04:13:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znzd2ukktc2nqjjcemkjixdiaai46k5cdwx5ltmrfh7biqedxfca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10883d2d817a21862f9068a7fbaae0d363e16e64d291a291925ba002e761eff6
Formbook
62ca1c39badbfbc52c6301cb69c8356977db57656c6d98dac7e4ab908753af00
Formbook
795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7
Formbook
925fa037b496ed141df2f58ee1eddac36a26a9ec3bf6888c7e4066764fa0f51c
Formbook
9d833b4a66beca22dcee2a030ffa0ff1a9c72eba3f9ee50eb412f56806915f87
Formbook
bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3
Formbook
cc3e1fee438ef0fe104afcc8ac66f930074302f67f1b99995b2d526575ddc098
Formbook
cd1c9fad93fdc00b3d2b34bb65d84029c5a8529b7eba10b4922b503dca449c74
Formbook
f26ef2dc3870b6ee2f05973fcd97b1e55f817524eac8bdbe6863e584c6cf2821
Formbook
f364037856ba668a59ccec86771c5f35e45d007192c79f63d83fec463f9d1ffe
Formbook
+ 2'111 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240818-ts3t4ascqb/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/64318dc1-9eec-4e91-ac6c-d81c278174d6
Unpacked files
SH256 hash:
cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944
MD5 hash:
bb06ed23d87e32af51577a5c513154a4
SHA1 hash:
0465630ce40cd3eaf1e9f92daaccc16b9c3241e7
Link:
https://www.unpac.me/results/42eb830a-781c-4b0e-80fa-d5a90c2018c3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb723d514a98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb723d514a98b4d825222314945c680011cf2ba21dafd5cd9129fe144083b944

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments