MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667
SHA3-384 hash: f75534b853e99d27e50b09e83001e1e63215696375b553fb607267a8a16a27a6d3a5a16208ef4ddb7c809072856ad968
SHA1 hash: 6e20ca5f346f7d759a3a5a068ef809830c66832d
MD5 hash: 8fa609b33a113c038e0ebdf97f81b0a3
humanhash: lemon-king-oklahoma-bravo
File name:NEW ORDER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:711'680 bytes
First seen:2022-05-24 12:50:50 UTC
Last seen:2022-05-24 13:48:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:xALsayAYww7wnt3Sc9Y26W5SO9s6yxR35dk/zUQzW5C9VP0rCt/2auggvZd:eL8lMnt3SZiAR35iAu9G01ug+Zd
Threatray 16'162 similar samples on MalwareBazaar
TLSH T11CE4F1197A56EE02C37917B6C0D7502403F694879331D78A2EDE12DA1E437A5ACCABCF
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
NEW ORDER.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 03:00:37 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/d264e663-6170-4668-afaa-e1bc4cb3cdce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274082/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628cd4b96eb3ff326327aa4a/reports/638a04e3-c1cf-484c-9b9c-2bd94b03b4c7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95481727-a294-450c-843d-c5f571dfac16
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000863
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633354 Sample: NEW ORDER.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 36 www.8562.pet 2->36 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 12 other signatures 2->46 11 NEW ORDER.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...28EW ORDER.exe.log, ASCII 11->28 dropped 14 NEW ORDER.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.capitalisllc.com 23.235.138.152, 49828, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 17->30 32 www.joga-wroclaw.com 85.128.128.104, 49784, 80 NAZWAPL Poland 17->32 34 5 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 09:24:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cb4zkni6btf6m7knu5bgps6r7h4r7bojaun3s6yya2titt4kztq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d77b75875a9194d47cc35e0a00c6ae29215e585616a28b2519239ee6a6a8165
Formbook
50d25ef6868b83e6b25fdf60d4a2c83824f2278d121babb6a3a548e53bea4ea0
Formbook
6ad94828733d211368d39bc8669735c844df4d7c2265ff4869558c683170e18f
Formbook
a9915e261e819e5388755f6e20a93b55c096eb7b81b930c7212a77be734a97b2
Formbook
c0760105fed05b99698c3f1e5bb6ed6e2e9b386315d0e187cd075b8ed5ea7fe5
Formbook
c08090499272c9eb85fa61570bfd62799b3c3bd1441b1a86f2720bd03a17dfd5
Formbook
c944efe6f7ebc5786e8db1b3a3b4296daacce868fe45318adf01617050e4ea9e
Formbook
ddf2076a3a130fca2fc2d48f41e77adc2538ca0cc9327d2bee0d5a8bdbbe5c8f
Formbook
edc8375d2a96c96eb0d3b8c7acfba4a9ba7f602deb4a2738d4ff07f0ee129e98
Formbook
+ 16'152 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:amdf rat spyware stealer trojan
Link:
https://tria.ge/reports/220524-p3gmdseefl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
f44e4c73d593278c11ac37c4166f7a85493ed0b8b41ad06d0c696839b659bca6
MD5 hash:
592614a0b186e4050c6630875c9f318a
SHA1 hash:
b562e180e2d3cdc6c7baaff7a818aee0fe6e1a6d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
Parent samples :
ff4e7b32b4c4ac0f5fbdd12b9c2ffd894fe647d1d22fe009035cc307a540322d
edc8375d2a96c96eb0d3b8c7acfba4a9ba7f602deb4a2738d4ff07f0ee129e98
f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667
fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58
fa318879db358e490dc763417711d144a17bd5ad8061821a1e820521ebefac16
b1b671842ea0b17a67e78741ceb401ccee0907e55c7a365aa78bf17aebe8e356
363c3288efc15bdba3db28988766e6554fca04e6bcb49e094f7a521388016fe8
SH256 hash:
f49f2a940861ffa3a66cd6c57922225547e5025dcfa4dd5d179c959c74231376
MD5 hash:
2e1004f18160efa9e76b872c36e972f2
SHA1 hash:
cc99c268133163c5422e6aacb365eb94256c9149
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
SH256 hash:
1b9a4c0bf19114e7e329e4b099f9612988ee31ea3c65c195cd1806646965719a
MD5 hash:
4e14717cd0bf8a173aeaed2dae5eb264
SHA1 hash:
b95e06b86d4ec5858ec8fefc872a2d19e262a311
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
SH256 hash:
2cbc5a7814d4ecaa2af24fb5f9a1fb6baddd1f0c4e169d981cd0206de6a707a2
MD5 hash:
09d546cd3bee03dac25e1ca44e392bcf
SHA1 hash:
2fb6496a811ecf4b587e3ffb22101daa2a9a6788
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
SH256 hash:
72c91fdad59e06742ab11408962929f766b4fbe34e6b4e730dfb02707c08a430
MD5 hash:
06b823e64681bae033de886e22f0c8b6
SHA1 hash:
0791fc63e09cf5b5e77ebebf46271b7e66a39c7c
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
SH256 hash:
f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667
MD5 hash:
8fa609b33a113c038e0ebdf97f81b0a3
SHA1 hash:
6e20ca5f346f7d759a3a5a068ef809830c66832d
Link:
https://www.unpac.me/results/aee48ade-b08d-49d0-a04c-08ccd6869f8d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f083cca9a8f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274082/

Comments