MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
SHA3-384 hash: 836104f128e8c99e2fdf9f5e499e0636fe7213334be0c2f5ee4ea3f4304fdc949e4166277e4e801f885fe1e0c63561f3
SHA1 hash: 07f5ef2fa08ad8f8ca4a7d146c57bf30c359801c
MD5 hash: 4463a7e42710fcb268d160ea8544a60a
humanhash: freddie-yankee-alanine-missouri
File name:shipping documents_FEDEX.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:643'072 bytes
First seen:2023-07-26 10:00:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:tJmefaynhPRWiy4u0ZPHgjMeQmRf8kYbMFZJEnvS6:ieCQJWiZB3eRf8kaoZKr
Threatray 3'397 similar samples on MalwareBazaar
TLSH T1C0D4121473ACAF17C8769BF5025A544517F0CA77602AE3462FC3A0EA9EA3F145760F87
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FedEx FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipping documents_FEDEX.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-26 10:02:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28e488f7-b07f-4fad-ba4d-9b2585ec995b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/433519/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.13360.16778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6048e0a-c1cd-46f9-9af5-b0a85d705a8a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1280024
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 10:01:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jtuwo7of6fodiefo2qey3jqdzmpgos4mrlnglqjxxuopglupgqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10431b996eebfb109db1ffbf5f789d750cae0942f011591275f086e4cc946498
Formbook
2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53
Formbook
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
Formbook
4afdcbfec30e01b2acb21c8c175e088771f9d9f478785b8f6f4fe9388c90b2d6
Formbook
67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
Formbook
6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
Formbook
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
Formbook
9442fbb4a8b6fff536bf913966cf56849bd7808397a8426ce01fbe1c0577a2ef
Formbook
a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
Formbook
c5b99e7807cf9f4add86f8521664eb8416fd87532cc8378076826ccdd74adcc3
Formbook
+ 3'387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230726-l18fjsbc9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e19264c74d7e9e7bdb1285d3ee5e917860eeeb9fe8687b32db67706eaa31281a
MD5 hash:
542ef80ceb62960eb33fbe6032e7d61c
SHA1 hash:
6e68147757bfb122d5915751ec99e454ee46923d
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
Parent samples :
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
bfb1e4ae02e8f53a6d2023eeda4399be5502b9ab99770c9c3e4bfde0548a459b
490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
831fb5c161081d10c2e952ef793f5db28c5aba8b7e0e858aa1e755481b875baf
SH256 hash:
11b0695e4b2ff83ae2454447092e1ca84581d3341dba1433fba718f13851e575
MD5 hash:
18462fcdfc6d9057e79fed9ef4d57d79
SHA1 hash:
427f69305ee749e27fd865cb220a2a79d5c037a0
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
SH256 hash:
1bf69033e97a8ad8d59469dd2f1aa57bab7461345e9993acc83afa48029c95ac
MD5 hash:
58419415321b3303da79fcd299874125
SHA1 hash:
a7a4c4fb47ccefd232a543219e2f4e0e12520912
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
SH256 hash:
0af448c693e92f5a6d1b44fc04c210e99e4606a7643451a16af46a0833952631
MD5 hash:
5c13b900769464c7e49650bccc7389ee
SHA1 hash:
1bb39105675172c2c5df579416e98760bd3889c7
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
SH256 hash:
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
MD5 hash:
4463a7e42710fcb268d160ea8544a60a
SHA1 hash:
07f5ef2fa08ad8f8ca4a7d146c57bf30c359801c
Link:
https://www.unpac.me/results/3e6c8cfb-3122-4c28-bb73-5d0b2f86aef5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2674b3bee2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/433519/

Comments