MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
SHA3-384 hash: 41a9114fb474fab06cbc9609f3d5aed5a1f2f3d68352ea59918cb376b82bfa42e3d9370d62271e1f26883a3503ff7027
SHA1 hash: 80eaae5bb96882f5c3e3569cac657f82a47815d0
MD5 hash: 069f621ff78d521669387724f936f693
humanhash: romeo-robin-timing-pennsylvania
File name:NEW-ORDER_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:740'352 bytes
First seen:2024-04-16 07:37:22 UTC
Last seen:2024-04-16 08:28:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:KxbJfmUudbrI0gwreu+bkyZg3nbwlWMNt3Ce0+BiPQ+BU:SJfFObr5gRkyZgL8Wmt3C9+wI
Threatray 46 similar samples on MalwareBazaar
TLSH T14AF40208A1EE6F1FEABD87B0553168100BB679BA5537F3870EC594D629B1B848B10F73
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 004000c8c8004000 (6 x AgentTesla, 6 x Formbook, 4 x Neshta)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438.exe
Verdict:
Malicious activity
Analysis date:
2024-04-16 07:40:10 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/36fcbc41-a2bc-4bfb-a103-b986cd1be193

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/661e2ada75339da04f92ebd6/reports/46b01a9c-eb21-49dc-852d-9a248e1631e1/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c2dca92-75eb-435e-8109-c80c6c5f36ff
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426533
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426533 Sample: NEW-ORDER_pdf.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 52 www.99b6q.xyz 2->52 54 www.xn--matfrmn-jxa4m.se 2->54 56 19 other IPs or domains 2->56 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 76 8 other signatures 2->76 10 NEW-ORDER_pdf.exe 7 2->10         started        14 HRIxsrY.exe 5 2->14         started        signatures3 74 Performs DNS queries to domains with low reputation 52->74 process4 file5 48 C:\Users\user\AppData\Roaming\HRIxsrY.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmp21C8.tmp, XML 10->50 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 10->78 80 Adds a directory exclusion to Windows Defender 10->80 82 Injects a PE file into a foreign processes 10->82 16 NEW-ORDER_pdf.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        84 Multi AV Scanner detection for dropped file 14->84 86 Machine Learning detection for dropped file 14->86 25 schtasks.exe 1 14->25         started        27 HRIxsrY.exe 14->27         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 16->64 29 ignwlUeUDovmoszSETuR.exe 16->29 injected 66 Loading BitLocker PowerShell Module 19->66 33 WmiPrvSE.exe 19->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        process9 dnsIp10 58 www.touchclean.top 67.223.117.189, 49738, 49739, 49740 VIMRO-AS15189US United States 29->58 60 exclaimer342200213.net 84.33.215.91, 49754, 49755, 49756 SERVER24-ASINCUBATECGmbH-SrlIT Italy 29->60 62 9 other IPs or domains 29->62 96 Found direct / indirect Syscall (likely to bypass EDR) 29->96 43 dfrgui.exe 13 29->43         started        signatures11 process12 signatures13 88 Tries to steal Mail credentials (via file / registry access) 43->88 90 Tries to harvest and steal browser information (history, passwords, etc) 43->90 92 Modifies the context of a thread in another process (thread injection) 43->92 94 Maps a DLL or memory area into another process 43->94 46 firefox.exe 43->46         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-16 03:14:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57ivoep6zep6zcfrw3dqjezkjztjpn47t2qs2k3wnnjqqhay2q4a._file
Verdict:
malicious
Similar samples:
3003d6e6c58def2f4857cac3e566049f95985bced0b50a6ca537b493bb72de73
Formbook
522df31fa6822a48a743918cc4371daaa6ca5aade2713ddf6e4a7726c78d54a7
Formbook
d42df773a5031e58adb497c874fcf6d5b723aaf6eadd29283a834a08d9cf712d
Formbook
d94b9ee70ad9ab6ba6f81c0f01565681714c56297d8d5826135c80c6cbbb2146
Formbook
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240416-jgc47ace54/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
6e093e11ecf0b624902be2e85d2c120e7cebd9dc3d882e11a658d2ef3083c5e9
MD5 hash:
7e29b899a573f0662c2c59588e62b523
SHA1 hash:
ee1d0cde2b34332668e65bc9d8715d3b7d06dfa0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
Parent samples :
efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
ac61066997c1ed196dc3311c32afc2507ec5e97c46242b12871dcec8b558e040
SH256 hash:
c1c823b721025cc3b1b2d1c9ca85af2b1acacbb17c17c326a4e97b55219a35ec
MD5 hash:
ae3c132f8ffbee8f9b7c7a21b1ebbec3
SHA1 hash:
97dc762487e30eb1a15f2ead39403a99b5c115f1
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
2c8ffb357bb7d47824e232ea9724a927c8ad4fc5dd57011f186dcb0f554b98c4
MD5 hash:
4b314ce8be6bde5446094d2ff17d048a
SHA1 hash:
b3a6f76671d40ba1374fb3c8872fed287d65d97b
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
0b55016d4354fa25da6837c4091a7d7339f74babdf4afc9991c033819bc779f7
MD5 hash:
ef0dbd1748387f6dd814641e9d16df25
SHA1 hash:
6d42bd9eb57d42a7d8cf2898f5a25b2d279f1d2a
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
5d3b862b27a5560f64437cb6536329849a21cdf636a5a60903f09e5a26d6e6ae
MD5 hash:
a3e7359f4b2bba12f1351f95d29edaf0
SHA1 hash:
3bde250aa41f4c8bb377611a8da6158265c7d2c5
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
ccdd181bea8e7866e52aecf161105632ab90a0ea318b3159332cbcd87f225d44
MD5 hash:
89592d1b8e580dc44f76dfcac555877b
SHA1 hash:
ff07799991e2590cb15542d07f1d12ef6f382626
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
92512d036883c44306b0ae8905a9c5900d795e8dcf16041fe887b3ac189a2a9e
MD5 hash:
c9509ba0f3a7c17a0ec5ec1a9bb88896
SHA1 hash:
c6dd723ad1c36c523a9cd821ac47b53e23831030
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
d74f5efe06c2642b342929316a76256abe0ec2f7eff5c85d7c54e02c591546aa
MD5 hash:
58c62405ae1581a6c174b48518e38009
SHA1 hash:
bc65a91d238975f81ed68c531a9dc41c78279508
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
0d8b1af7db8188953ecba145aa22fce186e9c1d84a07a8f2d20922bd9863f43b
MD5 hash:
c2d290b6d521df82f94c59d1d93fad60
SHA1 hash:
3816ce05e592c9b62accd58e16d8ef4c3bf76553
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
11c531eac48f193852529e1445f395c2a6d1b959d8b03525c4626bb8355b79ff
MD5 hash:
8179ea4bd5c8e4aa1d9feb3ec7a068c4
SHA1 hash:
1a916c0d70991bd89bb7488d5b03c6c5811baec1
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
b70aa541be7b1a872538bccaf159201623b9cfb90b8ea4ee6dcdbbe0ce1d17bd
MD5 hash:
8a3629c987980c0dff84e32e79c4cba6
SHA1 hash:
008359d3bc786c5d648c6a9659b7426549bc236d
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
SH256 hash:
efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
MD5 hash:
069f621ff78d521669387724f936f693
SHA1 hash:
80eaae5bb96882f5c3e3569cac657f82a47815d0
Link:
https://www.unpac.me/results/90fe2568-c2a6-4d3b-b5cc-94091c543763/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efd15711fec9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments