MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f
SHA3-384 hash:	5d9642908a27f3c17cc866c1a83db8a73e494da6c30a0d9d781ea80224ab5ed40ee0cd2c61d473fbc420fe6895724124
SHA1 hash:	130e5ce8668129f7927f27c68f533cc326cd73b1
MD5 hash:	33e6e514a8a39873caa1961a2db5bc45
humanhash:	aspen-california-mockingbird-don
File name:	Urgent Bulk order cms quotation request 4179202023.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	797'184 bytes
First seen:	2023-09-29 06:54:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:9ujA/EP5AypEsNZw2hGdkKFFAo7SBkFEkhPgep4KoGA:9uU/+mypEsNIkAF+BIVD4N
Threatray	26 similar samples on MalwareBazaar
TLSH	T16005F53C10ED2A89F36596BCF3744EFF57D5796F81ABB8B7AC4CA59306A97C04502220
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	exe FormBook QUOTATION

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Urgent Bulk order cms quotation request 4179202023.exe

Verdict:

Malicious activity

Analysis date:

2023-09-29 12:30:28 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/4b022949-3f31-4c9f-9887-f615d042479a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451869/

Detection(s):

Win.Dropper.Malaz-9939293-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/651674c833582f234e06a252/reports/e2eeb9a8-6000-4e1d-8149-a96f565ae3a8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/162b1218-4539-4552-bddf-fbfd809bbb74

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316206

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2023-09-28 19:00:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=66b3cx6b4ij2mpobe4ve6rwwgcxakqwtu7h7qoxb34nz56wg7rhq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230929-hpsdeagc6x/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

1b0705e9fbf7286da16280b0a353f20980bcb9444cdfc2267552b2347edd450d

MD5 hash:

aa260194b2fc4c3f08aa11f94313a130

SHA1 hash:

c0550f309b1aa0eb93a3b827422305dd773169ce

Link:

https://www.unpac.me/results/7677c033-8b69-40b0-80c2-000645f0da84/

SH256 hash:

eae295b9f95b0b618d0dae374f26e700d8b27b5a9b4c65f5872c0ba797d9a5ad

MD5 hash:

29240f36c9b7fc6f7e1792c94e62eee7

SHA1 hash:

9c13994a69dacc8f92bc5aa1d21f2c55ef5ccec6

Link:

https://www.unpac.me/results/7677c033-8b69-40b0-80c2-000645f0da84/

SH256 hash:

46ce87580abd6e102a796cfb16a52ccfc32696a762662eac517b625e2c65f30b

MD5 hash:

3ff1724822b9d4a85d730c076d08e8a6

SHA1 hash:

f071d5fe617fdb90fe0d4e0aced7e5ae6db36b89

Link:

https://www.unpac.me/results/7677c033-8b69-40b0-80c2-000645f0da84/

SH256 hash:

5cf51d1a8d4bd940740e90e3962cea8e939e791ef7c5bd88d1a0cb574af25b70

MD5 hash:

9407c2206b85c7cb0949ef623fa614d8

SHA1 hash:

df6e3ec48a4e673d93fc6818db52460ce8fadd9a

Link:

https://www.unpac.me/results/7677c033-8b69-40b0-80c2-000645f0da84/

SH256 hash:

f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f

MD5 hash:

33e6e514a8a39873caa1961a2db5bc45

SHA1 hash:

130e5ce8668129f7927f27c68f533cc326cd73b1

Link:

https://www.unpac.me/results/7677c033-8b69-40b0-80c2-000645f0da84/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f783b15fc1e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 17d272750dddfce88ccd4f7e6f5296f0f4ac9886fa6f1d0aa12c086507debbbe

Formbook

exe f783b15fc1e213a63dc1272a4f46d630ae0542d3a7cff83ae1df1b9efac6fc4f

(this sample)

Delivery method

Other

Dropped by

SHA256 17d272750dddfce88ccd4f7e6f5296f0f4ac9886fa6f1d0aa12c086507debbbe

Cape

https://www.capesandbox.com/analysis/451869/

Dropped by

MD5 ea417761dd217b7b0159a15fe479c364

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample