MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd
SHA3-384 hash: d49d61140c9df7aafbaf1f0106cd32e6a07195e96f5734c760b2c5b3ddea35d50a202a5b9d16ec443722cd7fb73742c0
SHA1 hash: 2434ed065d21158800817d8205d050b70862fd5f
MD5 hash: 6874255f9a00e31939cee16bfa7a9d5b
humanhash: seventeen-spring-echo-coffee
File name:Purchase order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:752'128 bytes
First seen:2024-09-04 09:33:05 UTC
Last seen:2024-09-07 15:11:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:0zjLf30WH0pfBAvJNGTzV0tFPCTtSiG0GWl4VEYR24pzuuhvMGGh1U:yjj0y4qgmtFPCJ9G0GtJ1pvvva1
Threatray 114 similar samples on MalwareBazaar
TLSH T1A2F42302B7EE96ECD4AE4F790D750460B3BBB41B1A72CA1C7E98109CAD33B5614A1737
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
10
# of downloads :
383
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order.exe
Verdict:
Suspicious activity
Analysis date:
2024-09-04 09:34:33 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/d973a799-92fe-42fb-924a-aa04d3c2a06b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Rogue.0hr.20240903-1040.UNOFFICIAL
Create hunting rule

Win.Packed.Msilheracles-10020638-0
Create hunting rule

Win.Packed.Agensla-10021078-0
Create hunting rule

Win.Packed.Formbook-10021419-0
Create hunting rule

Win.Dropper.Nanocore-10024150-0
Create hunting rule

Win.Packed.LokiBot-10026312-0
Create hunting rule

Win.Packed.LokiBot-10027126-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d8298e8e12b8124ac93034
Tags:
Execution Generic Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/66d8298ce9db3734a22822c8/reports/e8363337-d0e4-483f-85f0-bef470e881eb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18257535-0201-482a-866a-c1a4f2754e42
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504002
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504002 Sample: Purchase order.exe Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 10 other signatures 2->50 7 Purchase order.exe 7 2->7         started        11 KlqkQbi.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\KlqkQbi.exe, PE32 7->36 dropped 38 C:\Users\user\...\KlqkQbi.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\Temp\tmpCB9.tmp, XML 7->40 dropped 42 C:\Users\user\...\Purchase order.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 Purchase order.exe 7->20         started        56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 KlqkQbi.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-09-03 11:52:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p6i6jfpkiykehnxohk3phi55ndrs5ggt3urvogql5zravrzphoq._file
Verdict:
malicious
Similar samples:
44c35217277fbfdde4251ac9c9bad106247b6f5ca5ca0f1dbaf8f3343b364af0
Formbook
827b585be59db284704a585700546262b2e33b6ebecbf0fd9f95097af2068a64
Formbook
84bb8bba33e1a515260b02421d72da6ad0d685d432c64c572a230337dca28c54
Formbook
8b3c86cb96e0bc77cd80fd68892694cd7f3d899462b2398588c9aa4dc9828ae8
Formbook
f1f812cecd0c3a44a3bdca6720dacd7c572ab9bde801be98c521ab89b20c97d7
Formbook
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240904-ljrrgaygmg/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e375a7bf-5484-48f1-a252-80d2bd86adc5
Unpacked files
SH256 hash:
ed84e742622297425076d7af18a8d69a2f1c3d91418af54eae4272826cad8802
MD5 hash:
cc57a85478e3dc472bf8b8c158a2ee72
SHA1 hash:
7eb6e96fdeb7a1902bf4cd5077710db365235d1d
Link:
https://www.unpac.me/results/b31f83fb-6e53-4a96-8f50-8d0604227637/
SH256 hash:
a7ca8f668bb1dd9b056bc14a6bfb247c8348788c320171723c42d857f98d4e0b
MD5 hash:
0f3d4ec95e9a777879cc235877f239da
SHA1 hash:
e8366fee7d27cf4279b74ca927c3ee1e8d5380d6
Link:
https://www.unpac.me/results/b31f83fb-6e53-4a96-8f50-8d0604227637/
SH256 hash:
7a4b1c2b3a236bc7cac25c9aa07163d9eb19233065e88b7304ce6e46c6a36e0f
MD5 hash:
7fa95c2554a74e0805581e20305069d8
SHA1 hash:
aa77eebba993f3e79b4971f5c135286e40b066a1
Link:
https://www.unpac.me/results/b31f83fb-6e53-4a96-8f50-8d0604227637/
SH256 hash:
49f635595ca67b9aa316246b4f00cd066dda7e1642472d92233cde710dfeb461
MD5 hash:
5782d79a67500cdc07713eeae349c938
SHA1 hash:
649790f64be3467311276f5eeecfea8e3bb3f50e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b31f83fb-6e53-4a96-8f50-8d0604227637/
SH256 hash:
fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd
MD5 hash:
6874255f9a00e31939cee16bfa7a9d5b
SHA1 hash:
2434ed065d21158800817d8205d050b70862fd5f
Link:
https://www.unpac.me/results/b31f83fb-6e53-4a96-8f50-8d0604227637/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbfc8f24af52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z 87462f5f9e52aef3921a1c339cd2e306d680ec6943893937cb562850b4cdd578

Formbook

Executable exe fbfc8f24af5230a21db771d5b79d1deb471974c69ee91ab8d05f7310563979dd

(this sample)

  
Dropped by
SHA256 87462f5f9e52aef3921a1c339cd2e306d680ec6943893937cb562850b4cdd578
  
Dropped by
MD5 cc093359587f4f561c298d53ee8fe4f9
  
Dropped by
SHA256 19fddbf394a1713a3051100de5ba2d6448efcd72609d9239bababcd31c88be39
  
Dropped by
MD5 8e205e5f3c15b2a219a30976c55e9e73
  
Dropped by
SHA256 912daa2b2f94bd255a5488cfee0a2731aa57da74178277014cb77f4fbaf80466
  
Dropped by
MD5 1ea4e4d2945fbd1e058fa3ee0d621f26

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments