MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f
SHA3-384 hash: 610148313ef4fd3debd7d619bdbfe0eebb703d40f4191282a7ade1058d035c7d6b8f950f0b9b7d220edc5e998b1f6a09
SHA1 hash: 5fdecf94b842dfc9671dd45930250f40495e1aa4
MD5 hash: 61eafa6b150d73e3975136b8c81c505e
humanhash: michigan-december-music-don
File name:Document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:905'216 bytes
First seen:2023-06-15 21:31:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:NvSy+iTB2Qws+6NR+mEsieJgyDlkSzkNPDP8IDV4M5ZRU9sWXlHrvoHGp:VSyjc6NqvClINLEIDV6DhoHGp
Threatray 1'228 similar samples on MalwareBazaar
TLSH T14315E83D5BB48EE390B4C65847CCB4E7B1859B1735884F5548EE933B128E90E7AC227E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 21:34:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e989b99e-c47a-4198-9a60-b413b3c99b21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399337/
Detection(s):
SecuriteInfo.com.Heur.MSILRandomKrypt.3.30529.26286.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/648b8352fad28f3c32b65c8e/reports/8408fc28-77f0-4603-a5ff-73d0a9358cc5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57c6b5c8-331b-4e74-9e51-8cf76332fa4b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255661
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 15:30:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abcgw6hilnzb76fldfsd6riqotwvfu6oxespawprwhdxrl4pyqxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
Formbook
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
Formbook
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
Formbook
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
Formbook
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
Formbook
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
Formbook
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
Formbook
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
Formbook
+ 1'218 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230615-1dletsbe24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e031d5f3652259dd052e79eaee198ab7fb0feb522a859771289a39a73a297f06
MD5 hash:
5e5b621044793588fde2b9482b862083
SHA1 hash:
b85e8343fc412a63748589cd544b90ccc841dc92
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f8a2e8b7-ad0c-46b9-bf3d-3a96a3ac5cc6/
Parent samples :
0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
19a7140e84227b4d9af59569af23a0a5a1edd34c45b24691348f227f2c540712
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
8bc2209887fffd6b27980ba8c2c138deb45370c5b0a8434f9542897c6a05c931
ede3876cdaa9f15dc9f49a080713bfc4e254d222d99c2a09b999d62d1d4f8c05
b755e080b9f6705b088275a44a96251bc547ad58b4f63c9988d90e1c97bf283f
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
607dcd836bd33a6d2afe6ef3c632468ef126eb49923409e246ba7ec86311c5a7
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f
SH256 hash:
fc83e07cff47a7ea1058bf4d75f6d98fcdaf457a6f88007dccbbc36796a16847
MD5 hash:
fe559bbf47ec0c554420bba97f79ba0e
SHA1 hash:
c097427b5800a352d105c830e98332fe8925bcdc
Link:
https://www.unpac.me/results/f8a2e8b7-ad0c-46b9-bf3d-3a96a3ac5cc6/
SH256 hash:
0c317a4ca53cbc755a1f04a94d1e3119e780c44396bedd436aa88af376e9838e
MD5 hash:
e7dd589f5132b6f407f18cc8977825f1
SHA1 hash:
c44b6330ed31ccb60da88dcf10453024dec773eb
Link:
https://www.unpac.me/results/f8a2e8b7-ad0c-46b9-bf3d-3a96a3ac5cc6/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/f8a2e8b7-ad0c-46b9-bf3d-3a96a3ac5cc6/
SH256 hash:
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f
MD5 hash:
61eafa6b150d73e3975136b8c81c505e
SHA1 hash:
5fdecf94b842dfc9671dd45930250f40495e1aa4
Link:
https://www.unpac.me/results/f8a2e8b7-ad0c-46b9-bf3d-3a96a3ac5cc6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00446b78e85b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399337/

Comments