MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8
SHA3-384 hash: 00d1458d27146213b1c12077c2ee6bc1fa45c15dc48c5ef9685ebb6f98c14e0ec1ee27b16be384d02178a579ead1a9d7
SHA1 hash: 37a236b4bea30fd46aefed9f8095b8c7989f0243
MD5 hash: 8a06791059a482faa0cf845d2b953351
humanhash: bakerloo-delta-april-mockingbird
File name:Requisito de pedido #23022300.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:724'480 bytes
First seen:2023-02-23 10:15:48 UTC
Last seen:2023-02-23 11:28:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:SPJGinDLjolG1e+ASVTsirGDGFyhMfJk+2EEQLYb/voPDNstJpbjoA:eBnDbZASVTsirGDGFyKk+A/v22zpr
Threatray 531 similar samples on MalwareBazaar
TLSH T1EDF40101B7494F55DEA410F084E3811923E2994F3EB7DA967C881BF6AE05BD7CCCD28A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Requisito de pedido #23022300.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 10:18:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/bd81f623-c72e-4436-9bd5-755e96f64d2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369240/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.6305.7092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f73ce35741abdfaa9f1e6a/reports/e2c13b7b-858f-4c90-9adc-7c85a2523df2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3530b547-6712-41f8-b902-068446b6cdc9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181217
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 814048 Sample: Requisito de pedido #23022300.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 31 www.awc.icu 2->31 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 Requisito de pedido #23022300.exe 1 2->9         started        signatures3 process4 file5 23 C:\...\Requisito de pedido #23022300.exe.log, CSV 9->23 dropped 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 13 CasPol.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 1 1 13->16 injected process9 dnsIp10 25 www.verde-amar.info 185.53.177.54, 49695, 80 TEAMINTERNET-ASDE Germany 16->25 27 krankenzusatz.net 81.169.145.158, 49704, 49705, 80 STRATOSTRATOAGDE Germany 16->27 29 13 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 20 chkdsk.exe 13 16->20         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 20->43 45 Tries to harvest and steal browser information (history, passwords, etc) 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 10:16:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7g3arohkcx46qfeovjz6vfxc574yhoai7himwlzh3az6x26bmx4a._file
Verdict:
malicious
Similar samples:
0eebf99a370bae273ce4afb5cd4e361239c53bef88fc345220cdf6960d2c491f
Formbook
0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee
Formbook
34b51359ad6122847ab773704dd928b28eb69382bacc7575278f2b25af583ac5
Formbook
478bd9421ff11177d8974922f1eec334f1af15845054ce1dbc42b1c9bbd4a484
Formbook
8271b73c229772949561931797ba49d42098a5f9eb97276252462ba7c1261951
Formbook
a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a
Formbook
f07483b6c09732c8d5e094bd2e2b405477ddbf8e220c12bd7982bc132cf44a04
Formbook
fa6790808827339055e37fd629d03406c1cec5b41ea8f778b0484e9f1610f170
Formbook
fec6af49d1a7c7b4bf3af5e663b80ff142788e7d79b312a2180ec7b8b89f18d9
Formbook
+ 521 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230223-massvahc9z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
.NET Reactor proctector
Loads dropped DLL
Unpacked files
SH256 hash:
f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8
MD5 hash:
8a06791059a482faa0cf845d2b953351
SHA1 hash:
37a236b4bea30fd46aefed9f8095b8c7989f0243
Link:
https://www.unpac.me/results/1ceb58b1-1e6e-4e22-ac6b-d955608bcea1/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9b608b8ea15/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369240/

Comments