MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a
SHA3-384 hash:	81aca82e1a5ba2fb9c05afb495685dbf7ac5baaf995f0c93c866dac89ef307dc8758a92c245435fd65a6cbc43bde56a1
SHA1 hash:	272afcc621eecb76b7986fa80fd4fc235adfde60
MD5 hash:	7280b74e4cf0685d974bbb8d60a57ea0
humanhash:	lithium-carolina-july-zebra
File name:	Nueva orden de compra.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'188'352 bytes
First seen:	2022-03-18 15:12:56 UTC
Last seen:	2022-03-18 17:13:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:rVspUwf9hhQP20Nog1tChybY9GygPmWXrq0l4EQUfIHTw:rVQzVhhMNoQl0EygPNveWIHT
Threatray	10'166 similar samples on MalwareBazaar
TLSH	T18F451220A6A44675EABDA3F8845581C013F37177C06BD78E2FD9B0EB5F723418436A6B
Reporter	604Kuzushi
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252674/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1256.17699.10685.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6234a1a0dfdfa8501cb61a80/reports/fafc08dd-c8a2-4e68-98aa-a23e0034599e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ac373f9-4a9b-4922-a06f-2739e8a7304e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/959666

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-18 15:13:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z5oq5n2bvxdhvtzm76567ep3amgjjlffgtl2nok67w5m4enuuyva._file

Verdict:

malicious

Label(s):

formbook

Formbook

374874898c5386561d60c3fae0482d1caee783f1096dda6742b1c073175a0a14

Formbook

4892e9b8ed5aa57661e3a1fd4bc2d48570cd416af12ab88bbade473ede45c1ed

Formbook

6fb859be1f19ec66d032758b38eade770aedc4f60b2341284ff407647980852b

Formbook

b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c

Formbook

c6a3fd36f07d97fb287fbac946ae8b8d12d1fcde36fa87395de79d59f0c3fb77

Formbook

d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43

Formbook

df1510f64189b49ffeb4630c74af81a86888114102b493f52b5ad1c1cb58d121

Formbook

+ 10'156 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:d2g7 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220318-slrb2sbbhj/

Behaviour

Creates scheduled task(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

55387d8366303a794ee0f3d71a04617f0f1ee9c67a55c913f9b6b870efa123b8

MD5 hash:

c7a79737aa6d4fadfac3b251d48773c4

SHA1 hash:

1afbe9593ed76bd2edb0e0dba4512eb3c8d43fb3

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5d4ccb98-68fd-47d0-9a45-006cdf006245/

Parent samples :

b76cdf3f203937fdd5a57710faf9c4d78281f4b893e8caff17a5053bb741bffc
28c337c65bf47de6ddca1d5e975f8dc8dfb86d3f1b9e14f7f2db464a089f6c06
d92480dba0931328c2c808ae67f0be25ce8eed46de25ad916d111245136254bd
4d6852edf73457b9a9db48a0f0220f3514bfcfdc0bb11a03b8496cccf45cc671
35c8631e608c2dea5c2969f9f59a0c85317bba6af71f2e56063b8efef57a3e05
54cfa1f93d985c0bf952e00247f781f36988dffec0cb8d83f79fa3e41d98b335
a49a78b4925decc0dc56f7d6b51a49b17d028016ebd820de985c6982957eeac9
a894f6175d1e84c3a4dd7d14703624c4134888b024d122bfac661007e98a554a
c3e4c2e1e242cf92142f4d4fb1896354cfa07089f40243b31046ff3eae8ac2c8
ffd04d82156eede57a242db418b539e9ee13aa1bf5123df96db273c0f6f6ce71
b8ae965dc24d6b7149c486672bf33989d6c27f108a68cb447cf5308eb91b8217
cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a
77de2fa49e24c93e217088285cfcc816cf7ae40928898dc3e88c0d6a67a31c80
8318860499c2f3e03a5e580fbd91d8c1214acc713b032e908442651e7b54ca81
e1a8e7ef8a30663d9bae4b02310ab1b0e243e0624aed6765946e9d8f73b879a1
499fb85e548a134abdf18b6a9d149b9c4f2bf9b0f534dd4c86e600180fb19bf9
930759b9b35cdcfbdd7196aecb009374c34a02a142b67c99d07da2918e9aa341
0cac8ae6143ca74f0cd566c8ded5a586f03d9be060d2bab62513ccb4382196db
97504b3dbc2dfe20922f3323f905aa9d4f5f440720cab63dd26c82f26f7d76a2
83acd88ea989609fc7c635ea881d6df384c1720dfd87d7e1c01cad3bcc241d42
0119c8252290ab1c092ee4ab1d9cd18502909207bf3368491b1448a8f7e14513
b28653e85b97fd93c5d893839290ff17e6a6eb748eba11c9ee11ec9884e35410

SH256 hash:

8f46f1a7d10043d67767083810bbc1c09e2ddeac6ebe6f49e0bc5310bf377c54

MD5 hash:

9e9a2fad0fcbe46c3bfd808b33d438b1

SHA1 hash:

dc0dec4c8852754b429a37d34d7a19ecb055a68d

Link:

https://www.unpac.me/results/5d4ccb98-68fd-47d0-9a45-006cdf006245/

SH256 hash:

6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7

MD5 hash:

7c3fb3e3d91e338ae917c4cb46895e71

SHA1 hash:

ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa

Link:

https://www.unpac.me/results/5d4ccb98-68fd-47d0-9a45-006cdf006245/

SH256 hash:

2a05630a1bb99aa7be578652614a2f41d92daf960551596a09083f5d6c70234b

MD5 hash:

e5cb01954ed4bd6ced3ed0cb1cd84518

SHA1 hash:

40c7731da59ab545c12c1a651805b508c6e8deab

Link:

https://www.unpac.me/results/5d4ccb98-68fd-47d0-9a45-006cdf006245/

SH256 hash:

cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a

MD5 hash:

7280b74e4cf0685d974bbb8d60a57ea0

SHA1 hash:

272afcc621eecb76b7986fa80fd4fc235adfde60

Link:

https://www.unpac.me/results/5d4ccb98-68fd-47d0-9a45-006cdf006245/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cf5d0eb741ad/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/252674/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample