MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450
SHA3-384 hash: 6934630d67b82ac8e4ed5f3b18dad56aba64217c37268280ac685de5d67dc26a29248871e7b25ea9c1200b6a83c9695b
SHA1 hash: 49d57001227534632899f9feeb00f4b4e9a007d8
MD5 hash: 065638a8d93b24ae2f7dd54c501e2e2f
humanhash: zebra-three-fifteen-jersey
File name:New Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:734'720 bytes
First seen:2023-05-22 11:06:34 UTC
Last seen:2023-05-22 14:06:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:TvV+s1bSQT6tjjdB4AA+ulmngD2Io0g1RsPIk04Byimud+Klb5HxjONY3dwDOOO:Ttu1um0V0CPV5qY3dw6O
Threatray 2'986 similar samples on MalwareBazaar
TLSH T1DCF48B5633B57621F87D33FD01156389CB38B44A2022E22A1F9A39D546E37EB771A2D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
263
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
New Order.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 11:17:09 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/b131bf02-5f24-4f3e-97f4-02b94c986c03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2040.10296.22775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/646b4cd828eb892e1f247b2c/reports/d3b09034-03d2-466e-bbce-ce065b8e41d3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e760bc46-6672-4143-aa3a-88bc2c36597d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239518
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 872521 Sample: New_Order.exe Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 New_Order.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...28ew_Order.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 New_Order.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 1 1 14->17 injected process8 dnsIp9 30 natroredirect.natrocdn.com 85.159.66.93, 49702, 80 CIZGITR Turkey 17->30 32 www.dropbath.com 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 explorer.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 11:07:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6by6a2zjjlmu43ed62zvvfyaxdft34rf45qjm4ykhblh3yofaria._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
Formbook
1fe93bcce0611f7025ad13add45a4f37516a1e9b3f348e553fa27d184bf441c7
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
47c74b216015a03abc6bf2a786c4c760fe23f5ce920c9a0ed6e68aa340568e84
Formbook
6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a
Formbook
6f6b3a191b4aad04649e0a6da4c6d2d73f037813cbeb84f4635c1a0d06ea2252
Formbook
9b72403d8d0663158210961631adbc2b5574b89c249804edef87de56ab36c9b9
Formbook
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
Formbook
a8982b67f297cc68ff3f3de02cc7b60d51c8b4a3db85971ce4f73149fe67b6ee
Formbook
+ 2'976 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g3th rat spyware stealer trojan
Link:
https://tria.ge/reports/230522-m7zbwsga56/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
68769f4c820b5602505d9e226fc80672dc83003ea191fd0ac7be7e765d63ec7d
MD5 hash:
f2744b081c54844dd96d318b989d509c
SHA1 hash:
51dbad6b2ab0369b1f2c58fef356a1d5e2159701
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
SH256 hash:
1f5bc7997fbefad47ba836e74a08cface659d9650e9ff5a73a444078014ea382
MD5 hash:
d3215440d6825dd71ef78151c6274581
SHA1 hash:
12894dbfc3005d307ae01669f56829f1ba3cb2a7
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
SH256 hash:
59f70fe53058d2d81b6545f6924f36dfbee7ce27af3137e1d4d1578fa1396235
MD5 hash:
60f202fb3bf4bca3eaf1278e05e54593
SHA1 hash:
cfcb15ceff7250786b8b7787fce8d02743ca4a11
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
SH256 hash:
4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4
MD5 hash:
e8d756b4e2de5a67446e0b1b80e1bb99
SHA1 hash:
b664448f87ac044a16706d35e5d76538ba79508a
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
558fb13e146dcc9a8ab1f46f3a5d0c3fd718e04b249178885c06c987559d0e79
MD5 hash:
e58a5cace7c5de2bf87b62605f94f235
SHA1 hash:
7c8b2b0375e2a024b81f73d1c2930622de606539
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
SH256 hash:
f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450
MD5 hash:
065638a8d93b24ae2f7dd54c501e2e2f
SHA1 hash:
49d57001227534632899f9feeb00f4b4e9a007d8
Link:
https://www.unpac.me/results/ebc5e748-0584-44d3-a6ff-4d9c70d2ff05/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f071e06b294a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f071e06b294ad94e6c83f6b35a9700b8cb3df225e76096730a38567de1c50450

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments