MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1
SHA3-384 hash: f18f46f6e59ef8d3984f8af872fd108cfb9f71d6078ba49c6dde915857fb9ad2a0cdc42b52131acd292eb4db4503d167
SHA1 hash: f2947934d0bd15322a84e88bab17bb4e8cd913df
MD5 hash: ca0e01565e05e4f49ec3b5ec66012fca
humanhash: bacon-friend-johnny-moon
File name:ENQUIRY REPORT_PRICE REF-LPRN- 20221096__Pdf_.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:870'400 bytes
First seen:2022-10-12 05:51:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:Rp/rtf37a8eMmZKOWdnj4CSOu1yjLpqvjupkP3vPN:HtfrLeMsKXiCSL1yjlEju4fP
Threatray 18'435 similar samples on MalwareBazaar
TLSH T17005597A12964507E8153175C8C3D2F32AFB9E607061D1CBAAD76F6FBC450BFA212386
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319185/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.15444.30719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6346560448a09eabde10c8d8/reports/394035d8-4644-4bbd-9d72-a93a3a7b8bb6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/867ba4cf-27c4-4bed-b4c1-9f41bc98a619
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088548
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 721141 Sample: ENQUIRY REPORT_PRICE REF-LP... Startdate: 12/10/2022 Architecture: WINDOWS Score: 100 27 www.suttazet.com 2->27 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 8 other signatures 2->39 9 ENQUIRY REPORT_PRICE REF-LPRN- 20221096__Pdf_.exe 3 2->9         started        signatures3 process4 file5 25 ENQUIRY REPORT_PRI...21096__Pdf_.exe.log, ASCII 9->25 dropped 51 Injects a PE file into a foreign processes 9->51 13 ENQUIRY REPORT_PRICE REF-LPRN- 20221096__Pdf_.exe 9->13         started        16 ENQUIRY REPORT_PRICE REF-LPRN- 20221096__Pdf_.exe 9->16         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 18 explorer.exe 13->18 injected process9 dnsIp10 29 www.horizonarena.com 81.17.29.147, 49687, 49688, 49689 PLI-ASCH Switzerland 18->29 31 www.lei-solutions.co.uk 199.59.243.222, 49686, 80 BODIS-NJUS United States 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 msiexec.exe 13 18->22         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Deletes itself after installation 22->47 49 2 other signatures 22->49
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 02:07:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ivs7lirgbmduv52coiygmfgfi4m4bbj3ewmtdg4eo27ng7ushiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
360ef3cdbe11529374631dfc266ed59c1d5d55f6609b8c0903634e9fefac5c96
Formbook
3d9766bbf57730b0aa1d3d43a8ce30d7f7b0798b82f32d235a06af5cdbb6ab6c
Formbook
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
Formbook
62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac
Formbook
939449a87190abf31d57482abe60fe159bd807abf7716daae0f0b3e217dba0d1
Formbook
b49c593f78359176f5ac6fea2897de702c51d6e7838ae735cd326d68d99b5aed
Formbook
d14d54e9068268b8b42b66b6bce13f374f4ea151e6af9389513a5afbbf152a23
Formbook
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
Formbook
f281fed414237c484d936802d8bc112995ba6df5c9485207a284b8fc31edf2e6
Formbook
+ 18'425 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o6ho rat spyware stealer trojan
Link:
https://tria.ge/reports/221012-gkqhkscffm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87c802e1-41f7-4898-a0cd-319bb7f494b2
Unpacked files
SH256 hash:
d30dcab8f4c2f46b0c0ba4ba31dd87a18bea3b7159992de18d5b819411b832c7
MD5 hash:
b8492da9231f3b994ce855d9f5f3134a
SHA1 hash:
be4efb9458ffc1f9a14ac2960d607c9a9603d953
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
Parent samples :
0225459bb8ea76c802e15479e006d7df265038fa9b789eb91c61ac7f4f1ce56e
f281fed414237c484d936802d8bc112995ba6df5c9485207a284b8fc31edf2e6
fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1
7a891f05ccb7ae90f90914f8238e754aadb4cfc16d19231a99efd1e09e244064
SH256 hash:
a0998b14f1cb5cadb26a6c966b50cdef03c32e9479ea9b59d352326eeb2c82ae
MD5 hash:
516baa2f79e506963998997c1eed921d
SHA1 hash:
0e4e4b806369043f2cc0476e1c922143e2d9abfa
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
SH256 hash:
7f613efe3ce6cfd59c171054a994fb85d6d18142712d3aee8f040611036e96f4
MD5 hash:
2a6bf69d7b85b3c77109338a36a830b5
SHA1 hash:
86f2c5015a3adceae587ecb8b4d648ee6057a46c
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
SH256 hash:
02fa63b463a8e67752ae25738f5a8a41953c128266105ebbb550ac2817fb1973
MD5 hash:
0eeb09eae7780ab315c9e447fad5f381
SHA1 hash:
0780d9df0df474ffaa0523b3252ea45ca257413a
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
SH256 hash:
fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1
MD5 hash:
ca0e01565e05e4f49ec3b5ec66012fca
SHA1 hash:
f2947934d0bd15322a84e88bab17bb4e8cd913df
Link:
https://www.unpac.me/results/176bbf87-12e2-4832-8098-271f26fe0dbc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa2b2fad1130/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fa2b2fad1130583a57ba13918330a62a38ce0429d92cc98cdc23b5f69bf491d1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319185/

Comments