MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604
SHA3-384 hash: ea149be1ab678d8b2e71828e339aba7a5f59c0e506756e1a498d9bd2535d3d81168fd5a467af8906d2968a8964a8189d
SHA1 hash: 860648853cb82dd649a8b53eceb61e433162a80b
MD5 hash: a106e3ad7e9d1d2f929a92e5e720cb4f
humanhash: ceiling-winner-sad-hamper
File name:cotización_Latco1782902.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:615'424 bytes
First seen:2022-04-22 06:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AFiI/UQLgplHe4oWLUI3fbgu7mfVNXjFOs7Iq3od7lTPcT7j:A1UQLgpleyUI32ffXJ
Threatray 15'131 similar samples on MalwareBazaar
TLSH T11DD48CFC71817DDED41BC6B98A687C60663130B39ACBD616423B21888F9DFD69E005DB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a888b8bab8b888a8 (3 x Formbook, 2 x AgentTesla, 1 x Loki)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/265626/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed pos
Link:
https://www.filescan.io/uploads/626245dcffe27d51192c55ad/reports/5c7467f4-d600-4d7a-97cd-8853da80272b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/611e6107-4c22-4dd7-ad65-65211d1468ac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981130
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 10:09:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aevffmjnmjumxcvbekzdql6vr5u4hex6wwlhckxfe5el3azoyyca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0523a910917e35ea987363881f619e7ffd9de72bdb2b24a1b109581b8273631f
Formbook
125a3d1084a3f13ca811f5fbecdbade8d6e2b2c5d73a686674c6ff244ec99f68
Formbook
354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
Formbook
55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5
Formbook
90b68aa14301d8c578cb7f9a4e3536b54c399f346aed82f19682604f31823cd5
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
db31c01119f54e596eccec7e9d909d3344f42e82db94f348cdb0ace3d8ba9bab
Formbook
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Formbook
e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee
Formbook
+ 15'121 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ms83 rat spyware stealer trojan
Link:
https://tria.ge/reports/220422-gtqvpsbab5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
99bdd5920af10d81c3e20efa7cbb86772caa4416405a9594c37f1861bea48bbc
MD5 hash:
ca25eb791df80c840843ea96a424f7e3
SHA1 hash:
2f927104170cf7d4538d889bb3b543838c2d3b66
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e8cf69ab-e201-4fca-9568-7f8896957c92/
SH256 hash:
02b92db37eb5d57832cf01ee583c06c5d938ba99cf0bdb82308b4a16d92f86c4
MD5 hash:
89f82f2ab8795f80935f39ccb0799bc9
SHA1 hash:
460d807dd8abca4c2e5f21e44f380990ba1fc34d
Link:
https://www.unpac.me/results/e8cf69ab-e201-4fca-9568-7f8896957c92/
SH256 hash:
5680c529ee9d94d831df983fb4eeeaa8fd7f89902881b57750fd3e0c5e0ee11b
MD5 hash:
3b4b7b8eec5ecca5344fae8319d8c3a5
SHA1 hash:
2748f4b64d51f4c072abaa11301b2767b0e38191
Link:
https://www.unpac.me/results/e8cf69ab-e201-4fca-9568-7f8896957c92/
SH256 hash:
1aa4fc30228e0fba51cc09f83871d47307260ec8062eafa8fae9fc597092bd21
MD5 hash:
802f7afb1ae019ad91d1fb8457584fc2
SHA1 hash:
01b9cbfb733242791c32025ec39432181472f11f
Link:
https://www.unpac.me/results/e8cf69ab-e201-4fca-9568-7f8896957c92/
SH256 hash:
012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604
MD5 hash:
a106e3ad7e9d1d2f929a92e5e720cb4f
SHA1 hash:
860648853cb82dd649a8b53eceb61e433162a80b
Link:
https://www.unpac.me/results/e8cf69ab-e201-4fca-9568-7f8896957c92/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/012a52b12d62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj c9432d72ff4477b9dfe32d464ebf873563abdaa5737db5f95864c38a7cc84919

Formbook

Executable exe 012a52b12d6268cb8aa122b2382fd58f69c392feb596712ae52748bd832ec604

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c9432d72ff4477b9dfe32d464ebf873563abdaa5737db5f95864c38a7cc84919
Cape
Cape
https://www.capesandbox.com/analysis/265626/
  
Dropped by
MD5 72946d33fc75c0a3fe3b56b8bb5ce746

Comments