MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5
SHA3-384 hash:	18b0192cdd580e8e2d1981b77e630e487db636978c3a7eb0d3632a5eeba1218dee0076149dc8fef8442ab2aee3882286
SHA1 hash:	2f189c238ed028f6bbf044e7886aa6b7f455bd43
MD5 hash:	b5c67441c0b05ce335b2868e8ed28256
humanhash:	glucose-snake-double-foxtrot
File name:	Purchase_order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'156'608 bytes
First seen:	2021-07-20 19:00:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:GXvNKJvDBMla0cy70VD/xZowNZtyxx1hb81x9ZGMb1:GXvUkENDJZLyx569ZGM
Threatray	6'616 similar samples on MalwareBazaar
TLSH	T1BA35DF2323137B98ED7D877AA89490509BFAFC07D70AC57D3CE471DDA8B1FA86660502
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase_order.exe

Verdict:

Malicious activity

Analysis date:

2021-07-20 19:03:09 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/04ca155f-ac4d-4c7d-8d3a-757499d22398

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/172885/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3b7e1e03-f1d2-4acc-95ad-173b0e083c6c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/819191

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Process Start Without DLL

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2021-07-20 05:20:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zohviqxrjkddwbzzncbngjdvtxl23xvez5iuf2o5ffvepm74fx2q._file

Verdict:

malicious

Label(s):

formbook

Formbook

4ab9d09d0ffc49408cb40fe30791e2dbe7d6ea5cec1d44d509c0032b7b0322c5

Formbook

4d15d10d62977acbf98b94bf2d836c116b5410939809e5a961a1d9dea165c3fb

Formbook

63b94415ccf2fabff3be3a811ded9a5306d68ac197adc07d7c2be3b313e8a665

Formbook

6bd5e5d02430922bfce2893c805028ae0374fee203235b379856f8bc5f574a76

Formbook

7fe8fc25255d0fbe221579b985327bb67bb1226f39dfc71b8b59e6a2b15fff11

Formbook

9eb08a4fd35569b3034dbe07ba5334ec8c5bfe262d589bb123e838dbcf688e08

Formbook

abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564

Formbook

b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36

Formbook

f1b2b93992ab956883815e6fea926d282fc3a423675fa1faf5ffb6cbb2ddbedb

Formbook

+ 6'606 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210720-pnm4db8642/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.illoftapartments.com/uecu/

Unpacked files

SH256 hash:

2de6939257996ad34dbb3c2fda787e831a02985427b2d3433f2ccc2e69f387e2

MD5 hash:

1cc5cc3b29e823de48dbbaf8a170ad7d

SHA1 hash:

fdbf257811d9bda46f950d3c9b139b6b295ab5a8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9497b76a-7d7f-49a8-866e-ed206cab50a7/

Parent samples :

cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5
17d07aff0e5f1f4ef44afbd6d7e78c9e235d40f909019429ec8b1253c7a89f41
86b93054415c6e4c21fd68ad13fcdbbd9a300c275dfe4f768ffd2fdf42db4694
739caabaad723c9cf69c0381bffd77d7c7cf372408dc8970a073c3acdce5c355
08893f139b09f2dc17635f17baf1f34d2fdf730ea44a41ba54b914ffc024f0c9
afc581586580ee675ab9b0cfef4e508b9decebe330dc6a7334534d34fb7d6a2e
12d89c6e8e3ef2ec6ae4fda7dce291a2418a51daa9eba44a583ced847c9e4e42
c8ff043caee4e9cc889d1b7f8149e5c59ec43d2d01edeb49cb40fe1fd09a233a
cd29b07e8df4c895797573022551be1e7f2ba6521d19dc692c42065cb0c2646b
74c7003daae4332200908731127b6a5252417bcb89ed610532bf577d503c7465
4685c8e4c8836d97c08ac60084f1ad2a12e0abed103c9a7048e3c36b40e8ed6d
1ad6352350f0b871f3757d1994aa42fee726cdca78834f743f09e8a15bfc3dd1
e5ffe75fc564d7a8aaabd188868910ddfc90cf64862f1af80a56c306e9b2e762
19b682f4983833b4f3670a22763a06cad7476076ea99a6800e7dbc8732431fd8

SH256 hash:

88215850bf3b4a1676e88179f72b3ce6c87829809b61586cdb05393bca8cd3fa

MD5 hash:

fcfc19fc44e0f4701a0b3c77c3d9faa9

SHA1 hash:

a6b5cc7cf4511e25a74ec00fe8ff4310e6ed006f

Link:

https://www.unpac.me/results/9497b76a-7d7f-49a8-866e-ed206cab50a7/

SH256 hash:

83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1

MD5 hash:

b1a7b752b6638ee03cffe5a1dde9213e

SHA1 hash:

52d215a173d2f293990f8c12fc7f4a86330a29cb

Link:

https://www.unpac.me/results/9497b76a-7d7f-49a8-866e-ed206cab50a7/

SH256 hash:

0befcf65705ddbb83f696b00ed5d033da17ebbeb312fd9656b49d3124bd39774

MD5 hash:

71e4888ad2d3b7005d7ef1c571d757db

SHA1 hash:

203e71ad03b395e1fa356877b06c9caf0b82b618

Link:

https://www.unpac.me/results/9497b76a-7d7f-49a8-866e-ed206cab50a7/

SH256 hash:

cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5

MD5 hash:

b5c67441c0b05ce335b2868e8ed28256

SHA1 hash:

2f189c238ed028f6bbf044e7886aa6b7f455bd43

Link:

https://www.unpac.me/results/9497b76a-7d7f-49a8-866e-ed206cab50a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/cb8f5442f14a863b07396882d324759dd7addea4cf5142e9dd296a47b3fc2df5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/172885/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample