MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da
SHA3-384 hash: 487bc9f5e2ffc7ce593e221191939c355046576b4546364f7d65549e398f4672e68ca1147fae4a5b601ca38ba70f3e93
SHA1 hash: 2169ba1540cc4269d9b02005275167492ac0112f
MD5 hash: fcfd0a06e91477320465da96eb6c1a8a
humanhash: alpha-magnesium-sierra-indigo
File name:RFQ_HP310823048.PDF.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:9'216 bytes
First seen:2023-09-04 06:58:29 UTC
Last seen:2023-09-04 07:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:yl9ocgfmLYvf4j4Zf+1n4ZrUAyIL/GtBXGUdvaq3rGe+:1fcEZW1n4ZrUAt/GtBXNdva4rGe
Threatray 988 similar samples on MalwareBazaar
TLSH T17612C602B7D806F7F2A84F752C5375502A777A41A877DE1F2C8820092E21B259777B2E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ_HP310823048.PDF.scr
Verdict:
Malicious activity
Analysis date:
2023-09-04 07:00:18 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/9709bb0d-b976-4811-810e-495493e1c55f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445970/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.2237.13766.11407.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f580372a262962b7926b96/reports/7a262851-89c8-4b39-9b23-49df7f314f6f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d9aabc2-1f4f-40e9-bb63-1709cf6d8db8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302682
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302682 Sample: RFQ_HP310823048.PDF.scr.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 RFQ_HP310823048.PDF.scr.exe 15 3 2->9         started        process3 dnsIp4 36 transfer.sh 144.76.136.153, 443, 49728 HETZNER-ASDE Germany 9->36 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->58 60 Injects a PE file into a foreign processes 9->60 13 RFQ_HP310823048.PDF.scr.exe 9->13         started        signatures5 process6 signatures7 62 Maps a DLL or memory area into another process 13->62 64 Queues an APC in another process (thread injection) 13->64 16 mdPJDxhXWsBfRXqCLBuWVhliHxWRiO.exe 13->16 injected process8 signatures9 38 Sample uses process hollowing technique 16->38 19 msdt.exe 13 16->19         started        22 autoconv.exe 16->22         started        process10 signatures11 48 Tries to steal Mail credentials (via file / registry access) 19->48 50 Tries to harvest and steal browser information (history, passwords, etc) 19->50 52 Deletes itself after installation 19->52 54 2 other signatures 19->54 24 explorer.exe 1 19->24 injected 28 mdPJDxhXWsBfRXqCLBuWVhliHxWRiO.exe 19->28 injected process12 dnsIp13 30 withintherosegarden.com 162.241.224.215, 49782, 49783, 49784 UNIFIEDLAYER-AS-1US United States 24->30 32 benedixit.com 162.241.225.51, 49761, 49762, 49763 UNIFIEDLAYER-AS-1US United States 24->32 34 4 other IPs or domains 24->34 56 System process connects to network (likely due to code injection or exploit) 24->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da/
Threat name:
Win32.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 12:13:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=674d56ugylfecovue7kvowobgmvhk65qwq42i6c4ia2xhxoa7hna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
185bc84b981c40e78829c220a28b4e7c431c2eefbac90d335b4a354986fa94de
Formbook
2372f2eaf92a7ead8900e31a36b6ef7f64ca2225220c816778f4d6e5711f6886
Formbook
4bc2162ae0ae133d359603b912865d8ed2f26029421a7dcfcf734f2aee216923
Formbook
869854b67188cf519a00264e8b1d02e7fef12ac977ffb8706fcd70645ffc23b3
Formbook
d5a06a6691aef83da53dc517b8bb6005f7477c1264e6aa76da11f9a3f55d3d7b
Formbook
dcfd3789031450eb5a469d1bdcc81955975a7516c9e1d12acaeccd6c0c031b22
Formbook
e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259
Formbook
ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
Formbook
eeef9f8539d9b599419583ef85788fbfe021e088a53ec61b11b4b47a807a9931
Formbook
+ 978 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230904-hr3bdseh34/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da
MD5 hash:
fcfd0a06e91477320465da96eb6c1a8a
SHA1 hash:
2169ba1540cc4269d9b02005275167492ac0112f
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/02373159-3f00-44a8-aa97-fd90567411c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f7f83efa86c2ca413ab427d55759c1332a757bb0b439a4785c403573ddc0f9da

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445970/

Comments