MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6
SHA3-384 hash: 9878032df2feb67a69cced1c938e40d8b59a0a86c6eaee0dc3fecac165b77f8f9035881377cc7ac1a39e077def15d8f0
SHA1 hash: 236cdb26f9f24c590247fd45a6c6affca29c2292
MD5 hash: 50b93bbf85541dae736e4d2e5454b062
humanhash: golf-angel-charlie-bulldog
File name:new order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:587'264 bytes
First seen:2023-08-07 15:08:25 UTC
Last seen:2023-08-07 15:32:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:zdZJucvEjxS+x4VWgyI7a5QlvSFMSTtmOklOTzHHD9WSN:ZCcaxSc4EjIYUDY3p3N
Threatray 3'648 similar samples on MalwareBazaar
TLSH T1B8C4235879AD87B9DDD967B27C2C6CAC03B6365E1010E735AE8258DF1102F0EDE2194B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1000107171100000 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
new order.exe
Verdict:
Malicious activity
Analysis date:
2023-08-07 15:09:59 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/68d3dfbd-a512-4cb9-b972-762ae95a9abe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441121/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1995.17405.7130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1544d312-8a16-4add-b043-f26f95e7d392
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287224
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287224 Sample: new_order.exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 6 other signatures 2->45 10 new_order.exe 3 2->10         started        process3 signatures4 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 13 new_order.exe 10->13         started        16 conhost.exe 10->16         started        18 new_order.exe 10->18         started        20 new_order.exe 10->20         started        process5 signatures6 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 22 explorer.exe 1 13->22 injected process7 dnsIp8 33 www.danellatufting.com 46.30.211.38, 49695, 80 ONECOMDK Denmark 22->33 35 xzewm002.shop 8.212.101.231, 49696, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 22->35 37 4 other IPs or domains 22->37 47 System process connects to network (likely due to code injection or exploit) 22->47 26 wscript.exe 22->26         started        signatures9 process10 signatures11 53 Modifies the context of a thread in another process (thread injection) 26->53 55 Maps a DLL or memory area into another process 26->55 57 Tries to detect virtualization through RDTSC time measurements 26->57 29 cmd.exe 1 26->29         started        process12 process13 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 01:03:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2azrwqnvbrqtjqd22hhawmyctkyyziuogqcxo4uopammfunl5ota._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03e156f16efbda2a891a6519a282ad085325d498695287ee92ad056f7d1c2422
Formbook
31d4fa7c04a77660000eeecf8f66e38d6108f460ea7b539744d7bf9216266a50
Formbook
4a30ba2e0012dd756f7d6fab584e78fe144a306d134921502819330a6978d328
Formbook
7d05369e7f8c3f1ae6e8e52d34c33707768c9d50c7cc688198f1e72bfebd2599
Formbook
7ddf9fb46d1aae7b4ac60e280145130de860966295010878e138d8c2213b7372
Formbook
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
Formbook
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
Formbook
b97d675cc03e2f033970f5357f256e461792111b78d27944225ba91558ca14cc
Formbook
c7f690c33e83ce246c48b918864dae66b4b6964116046cfa34de6bd3a81c2964
Formbook
cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
Formbook
+ 3'638 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d13a rat spyware stealer trojan
Link:
https://tria.ge/reports/230807-sjfgrsha8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
5aee85e4755a289724c916a8ec818ad266cef1c9f7ecf36b887c4f3d0e3b15f7
MD5 hash:
b114f3e4f3bad9980734b10339f615b3
SHA1 hash:
61a45a94bddd4a62256dc66dbb6768fc94ea315f
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/edf1bc6f-9dbd-4bc6-a7b1-2be29ca88eec/
Parent samples :
4a30ba2e0012dd756f7d6fab584e78fe144a306d134921502819330a6978d328
7ddf9fb46d1aae7b4ac60e280145130de860966295010878e138d8c2213b7372
d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6
6d63f78d42132df4cabeb30eb835bb3ff1a06fbd8326948f2d940d42b683efa1
SH256 hash:
504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804
MD5 hash:
74ed681a2d7aed1dae5627d4367474f8
SHA1 hash:
cad2df636d3f0710f69fdb18cbae03a332341dd3
Link:
https://www.unpac.me/results/edf1bc6f-9dbd-4bc6-a7b1-2be29ca88eec/
SH256 hash:
4e0169eb0ad11577dbe626172093bf7b1aeacf2e64e5a52a35783f1302de6c06
MD5 hash:
267042a737b56727d4301f9a321a3111
SHA1 hash:
8aa6184b5ea10c64bc2199d9b2e76c9e864a3cdd
Link:
https://www.unpac.me/results/edf1bc6f-9dbd-4bc6-a7b1-2be29ca88eec/
SH256 hash:
acb4f2181a20567f3a024b4919e95a204633c49dd5fa694e73b2c508b2517f62
MD5 hash:
54382de0119d4daa02ec3edd0312168d
SHA1 hash:
0451e80a80e731f260afd2e7c60d9d79069b0a3b
Link:
https://www.unpac.me/results/edf1bc6f-9dbd-4bc6-a7b1-2be29ca88eec/
SH256 hash:
d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6
MD5 hash:
50b93bbf85541dae736e4d2e5454b062
SHA1 hash:
236cdb26f9f24c590247fd45a6c6affca29c2292
Link:
https://www.unpac.me/results/edf1bc6f-9dbd-4bc6-a7b1-2be29ca88eec/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0331b41b50c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d0331b41b50c6134c07ad1ce0b33029ab18ca28e340577728e7818c2d1abeba6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441121/

Comments