MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b
SHA3-384 hash: 00e8ac523f7cc0d6251fa10d54aedde9ff8ad46d07c1840fdbb9b77678e6fd4a00bb5420e00ae7d7bd4fe7c4aa50d073
SHA1 hash: 432ad27474950f14dc9c8bd13c3f642e40a64c13
MD5 hash: aaf52756b012a13998284e58adb532a2
humanhash: high-three-december-april
File name:#77201.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'013'248 bytes
First seen:2022-10-31 18:22:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:LNvplR131dxk8itCwhuJ7zps7rNZ1mMRMOIxceLfbcPCGC3cnDBio:brvdxkB5uJJs7JZ9MdD13Aio
Threatray 15'201 similar samples on MalwareBazaar
TLSH T1CB25E1F1B6264145F9A633791126FB30237D2E79A8F5820DE4806B9938D33236E63777
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4ce8a6766981cccc (11 x Formbook, 5 x SnakeKeylogger, 3 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
#77201.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-10-31 18:23:49 UTC
Tags:
formbook trojan
Link:
https://app.any.run/tasks/97b8beae-3fac-45ef-ac43-d73769193ab7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326545/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63601287ce1f43143c2a37ef/reports/d4e664e8-da3a-46ea-88c7-6ccdce0a1d61/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a24fd57-aa53-49ae-8e52-b7a019d7f9fa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101959
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734621 Sample: #77201.pdf.exe Startdate: 31/10/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 8 other signatures 2->64 8 #77201.pdf.exe 7 2->8         started        12 osnYwDCIBr.exe 5 2->12         started        process3 file4 44 C:\Users\user\AppData\...\osnYwDCIBr.exe, PE32 8->44 dropped 46 C:\Users\...\osnYwDCIBr.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\Local\...\tmpA91C.tmp, XML 8->48 dropped 50 C:\Users\user\AppData\...\#77201.pdf.exe.log, CSV 8->50 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 78 Injects a PE file into a foreign processes 8->78 14 #77201.pdf.exe 8->14         started        17 powershell.exe 21 8->17         started        19 schtasks.exe 1 8->19         started        80 Multi AV Scanner detection for dropped file 12->80 21 osnYwDCIBr.exe 12->21         started        23 schtasks.exe 1 12->23         started        25 osnYwDCIBr.exe 12->25         started        27 osnYwDCIBr.exe 12->27         started        signatures5 process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 29 explorer.exe 14->29 injected 33 conhost.exe 17->33         started        35 conhost.exe 19->35         started        37 conhost.exe 23->37         started        process8 dnsIp9 52 df1bto5vlbdx3ai.xyz 216.18.208.202, 49699, 49700, 80 WEBNXUS United States 29->52 54 www.katywren.com 107.149.14.133, 49697, 49698, 80 PEGTECHINCUS United States 29->54 56 3 other IPs or domains 29->56 90 System process connects to network (likely due to code injection or exploit) 29->90 92 Performs DNS queries to domains with low reputation 29->92 39 chkdsk.exe 13 29->39         started        42 msiexec.exe 29->42         started        signatures10 process11 signatures12 66 Tries to steal Mail credentials (via file / registry access) 39->66 68 Tries to harvest and steal browser information (history, passwords, etc) 39->68 70 Deletes itself after installation 39->70 72 2 other signatures 39->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 01:38:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5235krjaqd5sonbvvmwjhdne2gr5kartxzh4c2outuq7l73grvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0057356bffe81fa4eafacbe446dd1fba01721b7e60c4782d2ed85b6226564204
Formbook
01e953f7efe55cf5970090491b1fc25dce140a505dea9e74bb07b81e3ef4f89e
Formbook
0c7d7c9cf153c7c97e3e2789bc903e72ccb6b27251df20e56cf7015d5df372f5
Formbook
1d471d4c679e7c68369a2824adb475071d80878c73de43bce4635a410b4d3d17
Formbook
4678a529e9765c07270509abcbe33fc8bbe276d1d994f384018d1a567ef177fd
Formbook
640e1f98387d8184a8b69457da56206b24c7893b5568fa2c8d7cf6ce65f016ba
Formbook
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
Formbook
+ 15'191 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:5pdf rat spyware stealer trojan
Link:
https://tria.ge/reports/221031-w1fqmsbgf3/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Unpacked files
SH256 hash:
2723c44f6bae568744c0f6b56b846e70eeb3d5d03b7f436b8c1199b89c12d727
MD5 hash:
174743808ec50429b587bad2e053fb04
SHA1 hash:
ba5c22d5d5a38a16ae8045c0900dfa4f9531d069
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
Parent samples :
1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b
SH256 hash:
0df1880919fffb48777619ab02f4451b3fe1e38239e3732f9fedabea891e72c0
MD5 hash:
620366d2032d5acefdee3d24e7ed8969
SHA1 hash:
7ae905d4f126c54e1c858a23632dd629d59bb525
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
SH256 hash:
15d73a776fe344c81d89f8c1403a88694e798a4698997b7e71ff8cd285043e5e
MD5 hash:
30f4d7c4a68786ee7add65357696b171
SHA1 hash:
f1dc5ea4551456140bda5f1be92ea156260cab2f
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
SH256 hash:
1070a5941afa86993caaf3e8095210ca04943863cef3da6ee8f07fd23ed8c12c
MD5 hash:
5912dd1fa389f573f18da00cbeaeac4d
SHA1 hash:
3130281f29687594c3c08e6befd6bee6e93921f5
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
SH256 hash:
dc114d3f588f9ea412e64e19d6b2c5cce0854c1cc50660cdcd2523eb18e5b84e
MD5 hash:
4e6ec514382b189f3201b377083db07e
SHA1 hash:
075c2491a66bda0005813969fbf37633d44c9352
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
SH256 hash:
cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b
MD5 hash:
aaf52756b012a13998284e58adb532a2
SHA1 hash:
432ad27474950f14dc9c8bd13c3f642e40a64c13
Link:
https://www.unpac.me/results/abee0793-115c-415e-adaf-ac5bffbacebc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf75beaa2904/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/326545/

Comments