MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b
SHA3-384 hash: 372d6c22d530536459c20cce11bbaed98a6737ee5e905e4938d78c8c74d9f3927247fb12959df0536c2dbf8e249d7e2d
SHA1 hash: 192f26ff52a928b3689b923394b41235d28c2e32
MD5 hash: 353747c834e8408765c71fdf2a26faa7
humanhash: maine-cat-xray-lamp
File name:CG230511007 Order Purchase.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:870'288 bytes
First seen:2024-01-31 09:33:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:nj060wKJM12XOhFsJIZa5GI545FU3Bh/RIpDgJz7cziwdzDOLlgplFFXu:j06KErhbaUI25FUhlJzozppXu
TLSH T15D05D046B2864961C795A338D6AB57010360FEF6A163D70763DB32E9251B3EF1FA1B03
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c098988898888890 (9 x AgentTesla, 3 x Formbook, 2 x PureCrypter)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b.exe
Verdict:
Malicious activity
Analysis date:
2024-01-31 09:34:37 UTC
Tags:
evasion agenttesla stealer
Link:
https://app.any.run/tasks/b41b54d6-98ea-49a0-900d-38cd38a6b56f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473706/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/65ba140c16a447dc38006974/reports/862dde94-31fd-4806-9710-df34dd20810c/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4251c365-440b-441d-b956-b84a5373b8f1
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383898
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383898 Sample: CG230511007_Order_Purchase.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 94 ip-api.com 2->94 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for URL or domain 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 13 other signatures 2->110 10 CG230511007_Order_Purchase.exe 1 4 2->10         started        14 xls.exe 2 2->14         started        16 xls.exe 2->16         started        signatures3 process4 file5 92 C:\Users\user\AppData\Roaming\xls.exe, PE32 10->92 dropped 122 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->122 124 Encrypted powershell cmdline option found 10->124 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->126 132 2 other signatures 10->132 18 cmd.exe 1 10->18         started        21 powershell.exe 20 10->21         started        23 CG230511007_Order_Purchase.exe 15 2 10->23         started        26 cmd.exe 1 10->26         started        128 Multi AV Scanner detection for dropped file 14->128 130 Machine Learning detection for dropped file 14->130 28 cmd.exe 14->28         started        30 cmd.exe 14->30         started        32 cmd.exe 14->32         started        34 cmd.exe 16->34         started        36 2 other processes 16->36 signatures6 process7 dnsIp8 98 Uses ipconfig to lookup or modify the Windows network settings 18->98 45 2 other processes 18->45 100 Potential dropper URLs found in powershell memory 21->100 38 conhost.exe 21->38         started        96 ip-api.com 208.95.112.1, 49736, 49738, 49739 TUT-ASUS United States 23->96 102 Tries to steal Mail credentials (via file / registry access) 23->102 47 2 other processes 26->47 49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 40 xls.exe 34->40         started        43 conhost.exe 34->43         started        55 4 other processes 36->55 signatures9 process10 signatures11 112 Encrypted powershell cmdline option found 40->112 114 Injects a PE file into a foreign processes 40->114 57 xls.exe 40->57         started        60 powershell.exe 40->60         started        62 cmd.exe 40->62         started        64 cmd.exe 40->64         started        66 powershell.exe 49->66         started        68 xls.exe 49->68         started        70 cmd.exe 49->70         started        72 cmd.exe 49->72         started        process12 signatures13 116 Tries to steal Mail credentials (via file / registry access) 57->116 118 Tries to harvest and steal browser information (history, passwords, etc) 57->118 74 conhost.exe 60->74         started        76 conhost.exe 62->76         started        78 ipconfig.exe 62->78         started        90 2 other processes 64->90 120 Potential dropper URLs found in powershell memory 66->120 80 conhost.exe 66->80         started        82 conhost.exe 70->82         started        84 ipconfig.exe 70->84         started        86 conhost.exe 72->86         started        88 ipconfig.exe 72->88         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 01:59:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3py6pupzttzqxcthzh342t6hwvycsuwaowcvbegsh5utqdb72ivq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240131-ljrfpsbacl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b
MD5 hash:
353747c834e8408765c71fdf2a26faa7
SHA1 hash:
192f26ff52a928b3689b923394b41235d28c2e32
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/ae66e439-c65c-4d00-bdce-89aa9d7cd64f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z ce4c49b53ecc85b547cc750a4ebd4624443c4f9d940712645a118d964ff3a668

Formbook

Executable exe dbf1e7d1f99cf30b8a67c9f7cd4fc7b5702952c075855090d23f69380c3fd22b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ce4c49b53ecc85b547cc750a4ebd4624443c4f9d940712645a118d964ff3a668
Cape
Cape
https://www.capesandbox.com/analysis/473706/
  
Dropped by
MD5 fed79e18902d8cab58b5a92393981cbc

Comments