MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca
SHA3-384 hash:	f5a70f83300c5028b6a1c3a2b26a4a61e784836d14be7d8ac110bc5bbdb37c56be3348e45878442ed725fc5644d85d35
SHA1 hash:	ef86c7070042147d095e96d3fe72d2bafc388631
MD5 hash:	b80f01bec9178a6d663a880278f2edd4
humanhash:	cat-music-island-indigo
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.12730.29637
Download:	download sample
Signature	Formbook Create hunting rule
File size:	627'712 bytes
First seen:	2023-08-30 12:28:09 UTC
Last seen:	2023-09-04 06:03:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:JLqULun/8FexWG+s4b7Vx5V5DX7DlojeuL5oT3cnQ6:5Luk6WG+bb7r53DX7Dl05ozV6
Threatray	21 similar samples on MalwareBazaar
TLSH	T180D41221766C843BCABE57F8D0A102261BB5682D66FFD7C85C4960CE7CFA7E84908747
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	30e8c89696aaaa96 (5 x Formbook, 5 x AgentTesla, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.12730.29637

Verdict:

No threats detected

Analysis date:

2023-08-30 12:32:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d10e1f41-2a0b-4619-9cb1-ef0c8a7c7a82

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445291/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.W32.MSIL_Kryptik.DWR.gen.Eldorado.12730.29637.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64ef36101d3a8c6c1217ed82/reports/9088af6f-5eff-4d39-b3b7-68dcd65ebeb0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ecad5aa4-befb-4600-acc6-97b2289d25d1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1300351

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca/

Threat name:

Win32.Trojan.Synder

Status:

Malicious

First seen:

2023-08-30 12:29:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aon7n7d57pno3yyfrn34tykw6ja7pu5el5wos7effigfst5wvxfa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230830-pnw4jafd25/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

7764d18a04ff4b5544d0dfd4a595f7e7029212945e953999e57531cc07e1b7f3

MD5 hash:

e4c2835988cf170c9b801b39019cfcdd

SHA1 hash:

d3777cdc3e2b486ab2bbc3ecd9141a2ef0ada9c5

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

Parent samples :

039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca
e266f399bd4ae4bf061be020eb3b3cffd0a1a3621ff7985a200b9ead765f1238

SH256 hash:

08e156074d6c27ad2005705a78d0faba1a146b74e272138d8d11f1d691645727

MD5 hash:

adc1d06568a2b730473c1d80f8247452

SHA1 hash:

0488c95e7d433e5687211d7ac58500cc82b2ab25

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

SH256 hash:

892761d55890a0af5517cc5da1b7b251539f9d1b5e126616def3b66b60b25f50

MD5 hash:

1381fe1ab71c80397a78422051edbd51

SHA1 hash:

e258e5a6e54f6314944e713515d22906fa4520f7

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

SH256 hash:

c094444932babf732e788625413d66665af54fa789015decb7e2da3d3ab25dc3

MD5 hash:

49204dbac9267797c9f6679a4bac06ec

SHA1 hash:

5590f19a53f6e6a88d14adfbc83ea1cd7ae002c7

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

SH256 hash:

889b6b2dc9f4c125a356ef86bab173fd26b1ce91a284c115c0d70db2874b3cf5

MD5 hash:

cf70645c4f55f47c186233b0badcee56

SHA1 hash:

369575490ac56a59298c4950b8f739eb3be73e6e

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

SH256 hash:

039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca

MD5 hash:

b80f01bec9178a6d663a880278f2edd4

SHA1 hash:

ef86c7070042147d095e96d3fe72d2bafc388631

Link:

https://www.unpac.me/results/6004ff41-8b46-4da5-b9f5-5595d7667345/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/039bf6fc7dfbdaede3058b77c9e156f241f7d3a45f6ce97c852a0c594fb6adca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/445291/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample