MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0
SHA3-384 hash: 3fa8112a8653d2c3fa1b78a6a65763bd421c8a505f0ee85bdfb567cf7b93def1f487cf8976fea73d00d5bc26ffcfd770
SHA1 hash: 66911e4051d389ccfa042b762c22a7609d1d2b73
MD5 hash: bc342a4367986719b1eac898157dc158
humanhash: chicken-south-south-indigo
File name:NEW ORDER 11.06.2022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:813'568 bytes
First seen:2022-07-11 09:41:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:g+rY4shcR02AWiuttkB4CMMHZTydOZlWhiGYqiptaBjXtrLcDlt:g+k4s2fRtkB7MauEZlWh0pEjXtrL
TLSH T14305E164FAEECCAED07615382031C5501873AF875B0AE7D9685E7D3E9C307026D99A3B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
NEW ORDER 11.06.2022.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 20:34:16 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/da61eccc-c509-4096-87a6-3d2157a59ccb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286120/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.3027.10800.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cbf06e81790e51fe56f676/reports/d24e837a-349b-4802-9b74-d6f89716ec3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7795385-e0ea-4b4a-9582-8912290cdf83
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028399
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660896 Sample: NEW ORDER 11.06.2022.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 33 www.luminale.art 2->33 35 www.fixtures.pro 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 11 NEW ORDER 11.06.2022.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\...31EW ORDER 11.06.2022.exe.log, ASCII 11->31 dropped 49 Injects a PE file into a foreign processes 11->49 15 NEW ORDER 11.06.2022.exe 11->15         started        18 NEW ORDER 11.06.2022.exe 11->18         started        20 NEW ORDER 11.06.2022.exe 11->20         started        signatures6 process7 signatures8 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Sample uses process hollowing technique 15->55 57 Queues an APC in another process (thread injection) 15->57 22 explorer.exe 15->22 injected process9 process10 24 cmd.exe 22->24         started        signatures11 45 Modifies the context of a thread in another process (thread injection) 24->45 47 Maps a DLL or memory area into another process 24->47 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 04:47:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zlmstxdjtgeem3vaeepbplqxul7kgappdogz4t2wemdtyfpmgqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220711-lpbmfafhhk/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
1bdf84120af76ca4d76a0bc1e9e2163f15845c80edb0d53fc5bff39f72d4b97d
MD5 hash:
8f346bfdcf390610816001db1589a6b3
SHA1 hash:
9d3709b3614b17a4d6dd9bb7f0b1d44ac75503d7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
Parent samples :
d04ab260ca94c62be68bb517f87ee52be1a74eb6aa5930f11348561c1c2556fd
d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0
6f97cf82d7f717b0ff7f5cc68eaf6d0b9cbca7c0ce021061ca724803752ff1a7
bb9f34650be582da17ebfefa4aee482eea1658ba1bd4305977f9861032ac9020
9ba5e7767346ccdc2c9ecffaff4c6a591c6029910bebc7c8d89453aa665f02e6
d72740fde26cc6220bb1808becfe5a045d40b758eed09510f1a46e35393292a6
8714724609eeba98185025392110c7afe0fb5fa3ebc48155ade108152b1fcbd4
075fdb35b3d0a5ef1bfa8d129276dbbbeecee25f37af3b9c31539c198a18ba77
eb04794beec7548b43a7f136bfca18239d785dbbfe0e40aed0bb2cfe2a63b7ca
SH256 hash:
effcab29177546bac00e926c2aca0d1f2060e490ec0ace2a4b6cef3c976c1768
MD5 hash:
7f457c9b52df19a90868510ef3e6d849
SHA1 hash:
4d06278acbe063e5875a354e20bedf3fd1730418
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
SH256 hash:
443e87b5990d7bb5374cf02d3cbd13bccba5a0314f581f35e46beee0fd8dcdb6
MD5 hash:
a5f5c52f24c542ee7bdb0a6af2802fb3
SHA1 hash:
63a311a345f76ef6eec1eab2a4643bc1057ffca9
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
SH256 hash:
d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0
MD5 hash:
bc342a4367986719b1eac898157dc158
SHA1 hash:
66911e4051d389ccfa042b762c22a7609d1d2b73
Link:
https://www.unpac.me/results/cb98ff57-a319-40c2-9694-ab40e7433027/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d656c94ee34ccc4233750108f0bd70bd17f5180f78dc6cf27ab11839e0af61a0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286120/

Comments