MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493
SHA3-384 hash: 8d37591aa86ff801ef2d6b0025cb80a3ace14d4e4723ef306041aacf7e7a6b57ad8c8ef34aef46b5b3beda1d01082806
SHA1 hash: 91fae8357729754a648045f1a5e1a22f3ef32492
MD5 hash: e7ea596c306eb7c00bb2f6a053e30616
humanhash: sodium-mountain-lactose-fourteen
File name:CONFIRMACIÓN DE PAGO.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:921'088 bytes
First seen:2023-01-23 09:08:41 UTC
Last seen:2023-01-30 09:03:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:clxSDTmHkFrVbS45nJpaqnMBggXXnxsQCCGEK0NfrQMx8CHdoP7bk53j:c6DkkFrBS4ZMBggXXnxtXDNfM45Hd
TLSH T15D15AD055DAF1570ECA9BE3A91FEE927D62196C106AFE570D0F45EE488E3280DC88F74
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CONFIRMACIÓN DE PAGO.exe
Verdict:
Suspicious activity
Analysis date:
2023-01-23 09:12:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35d043b7-ad17-4c97-b191-c4620be932f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355803/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/63ce4eb196add6d1cf482ebc/reports/dac7e36e-e741-4df3-9fe9-719cb1b9e590/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/913f19ef-f79b-4e22-bfdb-d95841e4b6ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156851
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789584 Sample: CONFIRMACI#U00d3N DE PAGO.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 6 other signatures 2->38 8 CONFIRMACI#U00d3N DE PAGO.exe 3 2->8         started        process3 file4 22 C:\...\CONFIRMACI#U00d3N DE PAGO.exe.log, ASCII 8->22 dropped 48 Injects a PE file into a foreign processes 8->48 12 CONFIRMACI#U00d3N DE PAGO.exe 8->12         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 12->50 52 Maps a DLL or memory area into another process 12->52 54 Sample uses process hollowing technique 12->54 56 Queues an APC in another process (thread injection) 12->56 15 explorer.exe 4 6 12->15 injected process8 dnsIp9 24 www.gulfshoressaver.com 91.195.240.94, 49733, 49734, 49735 SEDO-ASDE Germany 15->24 26 www.jamjar-cars.co.uk 213.171.195.105, 49718, 49720, 49721 ONEANDONE-ASBrauerstrasse48DE United Kingdom 15->26 28 6 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 19 raserver.exe 13 15->19         started        signatures10 process11 signatures12 40 Tries to steal Mail credentials (via file / registry access) 19->40 42 Tries to harvest and steal browser information (history, passwords, etc) 19->42 44 Deletes itself after installation 19->44 46 2 other signatures 19->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 16:22:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cn27kz5jptcux2ypgau7gi7ulezob7uboya23zpc33ogamxmsjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230123-k4fz2acf35/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
be69ee6e1b9e11deccd6e62ca3915bb9415d038732131b5892a0601461c28f9e
MD5 hash:
97dd43ab81370500269c47829785a84c
SHA1 hash:
ce14e1b530a7c6901e80a47df556ef66370e3ae1
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
f443ce5676e4655e1908ec2f94171bb68cc24b244c142c313c30d67e35b16d51
MD5 hash:
f119fb816605a5fb6f0e0f0c8f0819d5
SHA1 hash:
ae32798df1447bfc573fb51e606253942a8470a9
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
8e75c0a5956d76819711776a44824420accf5f91d237cc49ee456368b79a3f8f
MD5 hash:
161997cadba4ae09411d36dc16018fa9
SHA1 hash:
87aebf1819d1077bef91028587774a3dff68dd20
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
5185f49374bab5249333a90f3496dfa3a078b93fe4c2f26a83f993b707ebd9fd
MD5 hash:
02659760e8c8aad55e3912424e0e62f8
SHA1 hash:
0f09ac61fe80148254ceb9087c2c62bfd17f3ef0
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
f4b4beea8b88e89957c2f62b578dfe11d8034840d57c425b73dcc94235ade444
MD5 hash:
e8373192e597389b1de05f3b3a748c68
SHA1 hash:
0e18459f0b1c52ae6963c4f83fbf592cfdda6485
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
SH256 hash:
e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493
MD5 hash:
e7ea596c306eb7c00bb2f6a053e30616
SHA1 hash:
91fae8357729754a648045f1a5e1a22f3ef32492
Link:
https://www.unpac.me/results/0a6a0216-0454-4f8d-b03d-1c626e59da70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e89bafab3d4be62a5f5879814f991fa2c99707f40bb00d6f2f16f6e301976493

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/355803/

Comments