MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1
SHA3-384 hash: 5ee73aca5584d23784a4897dbf1f3bc119b52fb8c562af13e3c0625eb0fcff5d9d543ca485c5e84deeeb80307f88b3f6
SHA1 hash: e1f2a5c2183c4c2ef83af5665a8786b2cde5e7f0
MD5 hash: 242e931a4997047fa504b494b98dc761
humanhash: shade-aspen-may-nevada
File name:New Inquiry INQ24561.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:747'520 bytes
First seen:2024-11-05 14:07:52 UTC
Last seen:2024-11-05 15:21:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:/JDWYTRyPVZvXPVrDn+08g5QJm5xymVD75p6c0LKhrX2:hDWYTRy/V/nLP5Q8D75s4hrm
TLSH T162F49CC03A3A7B29DEB857F18919DDB103B51968B405FAE25EDEB7C73498B015A08F43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
375
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Inquiry INQ24561.exe
Verdict:
No threats detected
Analysis date:
2024-11-05 14:15:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af9d0677-521f-456a-a5a2-b47b9069b4a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.16123.24275.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672a26c78d23d9049133c534
Tags:
trojan msil hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching cmd.exe command interpreter
Сreating synchronization primitives
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/672a26ccc504082537dc44d5/reports/4083155b-187a-4a64-b7c1-2785909c64b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bcd906b-73e5-47ca-a048-7c9298029c21
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1549345
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549345 Sample: New Inquiry  INQ24561.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 33 www.ornpicsbd.xyz 2->33 35 www.utozeed.agency 2->35 37 9 other IPs or domains 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 49 10 other signatures 2->49 11 New Inquiry  INQ24561.exe 3 2->11         started        signatures3 47 Performs DNS queries to domains with low reputation 33->47 process4 file5 31 C:\Users\...31ew Inquiry  INQ24561.exe.log, ASCII 11->31 dropped 61 Injects a PE file into a foreign processes 11->61 15 New Inquiry  INQ24561.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 89 1 15->18 injected process9 dnsIp10 39 www.bud.studio 20.48.204.1, 49981, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->39 51 System process connects to network (likely due to code injection or exploit) 18->51 22 mstsc.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 59 Switches to a custom stack to bypass stack traces 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-05 09:40:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zp66w4nrvryalw4pomo6pp7kqry66r6cvmxb2bauogofjhniypaq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md49 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/241105-rfjvcavmgp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d145f706-87ee-446a-8ba0-1dcadce02890
Unpacked files
SH256 hash:
6d9386c76a02f4a6d7ffb685e8b61dc2a42ef30182566e33479fe9a727f42036
MD5 hash:
f3b186b167e4ffbdece4fc1ec105bb1d
SHA1 hash:
3d1db3fd2d1ca6149b8a56daea164db7e92f7afe
Detections:
FormBook
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Link:
https://www.unpac.me/results/2afad691-c634-41fc-a66d-6e3e10f8b4fc/
Parent samples :
cf18af34e360f0f773f774ce7231f28f6b471fa1b1739e91df0d4cfb943774e5
a66fd780dafe112e8ee95dd63b7d6138fea1e5273b961b2774e3be95a677990d
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
c51ca12f5158ea6d07f3def983ae49f6127696f23244cf0a857da46a6d640b25
67605bfe77b822b7256723089082b0f15b23bb69e6de86191750b660c0a438e3
cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1
248ffbd7ceb70f0a8fc98a93dfde21283489b926a757cc499191d2f43931a093
07888aca315d288cf934104bbee91f5a2d6cec258f9e8052adfb496cc7ea1f16
f7cfd8a77e099b053a939902b4bc371cf0660070287b7f9f89971181d36be10e
a99e96240277999d6ac2c51b1071298e9488a4e08a24f3ac934c8c1d5f68fa0e
d079862ef124c7736c9321485c30fa19a7c944ac81bc683d123c1aa6c50414a5
SH256 hash:
1a6cfdba60cbea5e3b077c9117f3d34ae2d9fdb079281b214c579b41ae377f0e
MD5 hash:
bb837b024b033abf23c1fe3ecc7b0002
SHA1 hash:
b3abbc99298fcc1450f5b49aff2302678e924808
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2afad691-c634-41fc-a66d-6e3e10f8b4fc/
SH256 hash:
38b2a941b27144cf183ca92f545d9a2b00955465433913f82fdd9d767243e71c
MD5 hash:
d7bc19b2cd3a868c7232c485451030e2
SHA1 hash:
34715eeae5ef476082d0b1e7c59b6c97e93020bd
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2afad691-c634-41fc-a66d-6e3e10f8b4fc/
SH256 hash:
cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1
MD5 hash:
242e931a4997047fa504b494b98dc761
SHA1 hash:
e1f2a5c2183c4c2ef83af5665a8786b2cde5e7f0
Link:
https://www.unpac.me/results/2afad691-c634-41fc-a66d-6e3e10f8b4fc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbfdeb71b1ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cbfdeb71b1ac7005db8f731de7bfea8471ef47c2ab2e1d0414719c549da8c3c1

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments