MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b
SHA3-384 hash: 90d08852f60a828cdcccfbabbe743705ddd84c34945e4265253c076af5ebe98dcf75a74ba0448c559908236799a43291
SHA1 hash: 59773e825af88db1eb3f8d83180c19c5a0d3d316
MD5 hash: 7635a49eafeef5fb97c12e81d92daba8
humanhash: neptune-pip-zulu-quiet
File name:Swift#invoice6-15+PO7038.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:737'280 bytes
First seen:2023-11-10 06:06:03 UTC
Last seen:2023-11-10 07:22:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:j8Y56H5sNQ0c3UhZjfDVGxue9TDhFZaLAwaJJC6i6HLX3x9pXb/AD:QYIHi/7/Gxue9HHUa7RXb4
Threatray 50 similar samples on MalwareBazaar
TLSH T165F47B3D5DAD2637C1B9DFB58FC5902BF1C0A9A77151ADB8A4D303AA4342A56F4C023E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
23
# of downloads :
315
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.28103.25174.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/654dc8860adeb03433537578/reports/d98186c6-c5f5-43b9-b3a8-87e85294752b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0833fc41-dccd-4c74-914f-a0eda46621d4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340257
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-09 15:56:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tq7z4erq7ghg3zihbqtzbzqhlxte766nbm62xzv6wodhopbxm5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
Formbook
3ea69a1a0c5cc196a71ab1d7754abe0683813ff321d59d731bb72d2d3d076f3f
Formbook
4c52fcc759e836699f5b46f6f67d1aa5370b61c2fb72f3cb761f178e07639c96
Formbook
50fc82d5c17dd18d51f9c65c690592c4af3717d213fec18bc06543729bc464bd
Formbook
7e443b358c8dcdb105837a0354f9132a771f1eea9ec3fc1ca0b39253a6cce940
Formbook
be9fa4bd2766fc5e1d06a60c8e9fffcdb6d0c7cded097234b573abf97a19cc41
Formbook
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231110-gtsdjace4z/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
ffbb1f0fd84831ec1b2d11dd075d40a48b1c15eb7a1665101a06c8b9862ae5cc
MD5 hash:
c59a3cee237ae059c3a8d4e19166dfaf
SHA1 hash:
9582faaf41e4a92dfd83c389dd5862461f45461f
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
Parent samples :
7e443b358c8dcdb105837a0354f9132a771f1eea9ec3fc1ca0b39253a6cce940
dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b
SH256 hash:
b0e1d5b2d5fb86bf878ddc018f0fb05cbf73fc93c5b18aafd555dd30c0df2c5c
MD5 hash:
14f86f6f68a26a2b2d7e26145f98302b
SHA1 hash:
fa0ec0663235af5fad771ce267885a5e7a6086a2
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
2e9e376655a6083d0965d47f0acfb554190f3fada1e9061f223b34ba2ee78e90
MD5 hash:
5eaaf8b2dcc2876728b70e74e8aeb6b9
SHA1 hash:
5632413b2a453c2b43c6b75297c8880a37ce88fe
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
bfef9eac82e53e8d63bcb3b3022880eaf8f22cbbc6c69f3782b59c438f649f12
MD5 hash:
ddf81912128dd196140e9be656c3a212
SHA1 hash:
51221baf7115f7f2de03cd00b8b25cfde9241a35
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
cb997aea7e1e2e957b3ca914973fbab4dd1e2747cb9cd8cb35a446b96f9da308
MD5 hash:
d01335f4bb5df4c41de4bc1100dd6a19
SHA1 hash:
d9103b26270bfdc168b70c657827b0742084eeb1
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
42390036bc87ca745e94c6562ada1c446561964eb65b0db6353625f10e1c1680
MD5 hash:
19a2b9a5f43ca38ef9bf58cafe9be579
SHA1 hash:
a4b235f46989a96819ae01cdaf1f86faf5780ee8
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
0e42e4811f07c4a6d1d756bbc4475e9e26b7d27058d5a4b9f0c87ddfee2ff904
MD5 hash:
4ebb37c34bf57664d5dbe3a571b24960
SHA1 hash:
8133c3da256925627dca13b633a11a90957731ab
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
a51f040d9dcedaedfd6c8964bd8a19939c6af852335419fc2a4a955746f79077
MD5 hash:
932c3e4a589e93e760786457f68bd3e9
SHA1 hash:
64d40dc206a132ba80a6940b6e0ed23d128d8362
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
97f90d19bbba581b184cf1402354b36cea9cb59a555554701f7445d965f0c97e
MD5 hash:
006408e5347c8069e9aeb8e692b293c5
SHA1 hash:
447796f4c07f1060222ef748b753318b6ad0bc4c
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
5978f9003a3c4d1fa27d73ecbf52a2d83d086dc592dcb3e383c352bb3e2ee51b
MD5 hash:
42051cbb96a7364970f18d9a34f008f6
SHA1 hash:
3a5840b2b24f1aedc907b8773617ac8f120c7959
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
SH256 hash:
dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b
MD5 hash:
7635a49eafeef5fb97c12e81d92daba8
SHA1 hash:
59773e825af88db1eb3f8d83180c19c5a0d3d316
Link:
https://www.unpac.me/results/e57c943c-33ee-4a66-bf28-7e0930fd0746/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dce1fcf09187/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 1cec4fe89bcf1f11d07870a89ba10d46aa47262ee10fd63aed7bd7e70f6fca15

Formbook

Executable exe dce1fcf09187cc736f2838613c87303aef327fde6859ed5f35f59c33b9e1bb3b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1cec4fe89bcf1f11d07870a89ba10d46aa47262ee10fd63aed7bd7e70f6fca15
  
Dropped by
MD5 61c7b6f5a9b62df8c2c8a1447d4e549f

Comments