MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
SHA3-384 hash: 726b1042fea937a9062e5f3bec044f230ca35ad972eeec2ff57cc336eb0c52c28ce6bab63d44f4d956d0f851962ebfda
SHA1 hash: 0f47c5d8a12022e52a2862f9c6debc87aa898d77
MD5 hash: 16ab204c82a3ce0f4c63686aab6b695f
humanhash: cat-india-kansas-magnesium
File name:đơn hàng mới pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:641'536 bytes
First seen:2024-02-14 13:04:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WSBEkmXAUrHARCD9o6+0wf71gdXNEJBx0HSqjT/1x2iNQ:WiEkm9rHARsozt71ccYSqjTdx1
Threatray 773 similar samples on MalwareBazaar
TLSH T1EFD4135133BAAF10C8BE57FF9621009153F8AA573683F3B50D8972D919223529F52BD3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3b79097947831b0b (3 x Formbook, 2 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6f49b1f-d85a-46cc-b328-aa7c2419801f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392151
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1392151 Sample: #U0111#U01a1n h#U00e0ng m#U... Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 31 www.acerola-anma.xyz 2->31 33 xiaoyue.zhuangkou.com 2->33 35 17 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 51 13 other signatures 2->51 11 #U0111#U01a1n h#U00e0ng m#U1edbi pdf.exe 7 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 31->49 process4 signatures5 59 Adds a directory exclusion to Windows Defender 11->59 61 Injects a PE file into a foreign processes 11->61 14 #U0111#U01a1n h#U00e0ng m#U1edbi pdf.exe 11->14         started        17 powershell.exe 21 11->17         started        process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 19 explorer.exe 96 1 14->19 injected 22 conhost.exe 17->22         started        process8 dnsIp9 37 xiaoyue.zhuangkou.com 47.76.75.107, 49720, 80 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 19->37 39 www.clickuppdemo.com 185.151.30.206, 49718, 80 TWENTYIGB United Kingdom 19->39 41 7 other IPs or domains 19->41 24 systray.exe 19->24         started        process10 signatures11 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 00:34:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ivuprd7u5qmc7ft2276pmbuu2xkvasyi2oxcg36ate6sofwjyna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
56f2fe58468c40326131a779fb59a349bcba8e9953204fd2ea23c1285581cf5b
Formbook
6a14e79be0398899cfc53dc234f9e51f13705afe8b2cf15c404923bb6706ea09
Formbook
7a20db5d819b030f6b5a73104a5519d58743282a54aacfc444adf459ad5168bd
Formbook
7da9294ba554d4c17ed9e4caac9836e303980814c7898b422ccde7a246ac26a5
Formbook
a4e15cb73ccfc8ff3119326251deca62b7618cf21c6554eb3edd9aaca2d222f1
Formbook
eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
Formbook
f364037856ba668a59ccec86771c5f35e45d007192c79f63d83fec463f9d1ffe
Formbook
+ 763 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240214-qbhwtace37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
44a5589f59edbdbff9324606500daf7830ed519e1d824aee3263c1d5f18ef03f
MD5 hash:
3e92ee2394071dd0ca6c7c299e124c08
SHA1 hash:
7a16fa0c2e1412dbab8808749ed5667f0bc04357
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/fe389736-8f87-46e7-b10a-8a6bf994e4ad/
Parent samples :
eeb9ebbaf564800d692de3de873fafbfb9ed9f47459e83bc4a2ffdc1503a1799
f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
SH256 hash:
2fdb2e1150d48b094ebe7fa3e6d54c3b4868e3466d07a8ea3c0947a77d7ad8ce
MD5 hash:
ec2baa41f7866161f49f41eb4b233e05
SHA1 hash:
f99f1044957b28ebc87412a125ec98f8bb163f1e
Link:
https://www.unpac.me/results/fe389736-8f87-46e7-b10a-8a6bf994e4ad/
SH256 hash:
6b6a8d3a80c2702cbed5b70e2a1bb0e7a43f491362e478d949743888c93e9c4e
MD5 hash:
c2989982d17bd98e887d1e29db58526b
SHA1 hash:
efe94cd523a90f1ef8d36f0bd14727de214fb82a
Link:
https://www.unpac.me/results/fe389736-8f87-46e7-b10a-8a6bf994e4ad/
SH256 hash:
a3b82e2d17f660c450ba4dae95a26b906f12626462a4bb9a6c2833071dd9faf5
MD5 hash:
cf3241f04cc546fa617566e84b5c1793
SHA1 hash:
0b9cbe0c45fba268857e11ad4d71105193c19d02
Link:
https://www.unpac.me/results/fe389736-8f87-46e7-b10a-8a6bf994e4ad/
SH256 hash:
f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a
MD5 hash:
16ab204c82a3ce0f4c63686aab6b695f
SHA1 hash:
0f47c5d8a12022e52a2862f9c6debc87aa898d77
Link:
https://www.unpac.me/results/fe389736-8f87-46e7-b10a-8a6bf994e4ad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f22b47c47fa7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f22b47c47fa760c17cb3d6bfe7b034a6aeaa8258469d711b7e04c9e938b64e1a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments