MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a
SHA3-384 hash: bd5dc53024c3eb151affcf03ec87b00cff834756090d90dceeabf6762670e9c3a397756cb0e4ebeaeb0c13ba6eedcab7
SHA1 hash: b4f6949742a6ce9e9610df636aafe7743883db64
MD5 hash: c78e929a5b11f83aa90306f498a4d6a5
humanhash: hot-sodium-apart-item
File name:SecuriteInfo.com.Win32.PWSX-gen.10783.4606
Download: download sample
Signature Formbook
Create hunting rule
File size:1'266'688 bytes
First seen:2022-11-23 04:27:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:mV1G+MSdbPST5T56ZqOklEEcMJ1aW6lhgWlR/XrOwR7EqdOp24H4444C:mmodrm5TG5mikQoWvOwRgqdOo4H4444C
Threatray 18'600 similar samples on MalwareBazaar
TLSH T1D9456D8B1F320DA4CB4E3870094E077C9352FD6D6CB4DDA6EE3466641DA25AB7E4232D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 36c29292b2e88c82 (54 x AgentTesla, 33 x RedLineStealer, 11 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.10783.4606
Verdict:
Malicious activity
Analysis date:
2022-11-23 04:31:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2b1e7b6-49da-4091-b4ae-241783cbbd73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337443/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10783.4606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637da1565be128ac718e6f62/reports/bc77649a-6bbc-440b-879f-ca56dce2779f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc185db2-b9d6-4912-a2bc-b37cf867bcfc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119436
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752154 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 7 other signatures 2->63 10 dsXLGuesexo.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.10783.4606.exe 7 2->13         started        process3 file4 65 Machine Learning detection for dropped file 10->65 67 Tries to detect virtualization through RDTSC time measurements 10->67 69 Injects a PE file into a foreign processes 10->69 16 dsXLGuesexo.exe 10->16         started        19 schtasks.exe 1 10->19         started        41 C:\Users\user\AppData\...\dsXLGuesexo.exe, PE32 13->41 dropped 43 C:\Users\...\dsXLGuesexo.exe:Zone.Identifier, ASCII 13->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp72E.tmp, XML 13->45 dropped 47 SecuriteInfo.com.W....10783.4606.exe.log, ASCII 13->47 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 13->71 73 Adds a directory exclusion to Windows Defender 13->73 21 powershell.exe 21 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.10783.4606.exe 13->25         started        signatures5 process6 signatures7 49 Modifies the context of a thread in another process (thread injection) 16->49 51 Maps a DLL or memory area into another process 16->51 53 Sample uses process hollowing technique 16->53 55 Queues an APC in another process (thread injection) 16->55 27 explorer.exe 16->27 injected 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        process8 process9 35 msiexec.exe 27->35         started        process10 37 cmd.exe 1 35->37         started        process11 39 conhost.exe 37->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 04:28:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqroxekzl2ozrv7ug47zdpyazdngqxq4vykukcbia5uy3g7jlofa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3445e39bbdb44be96fabe1e9e7a8804f18176fdaf9d2191d8006a95d87d8eda0
Formbook
476cfcd8e4efbaad00e44089bfe1eab950cd627656f960b74a1dce1f9e5686dc
Formbook
5d781e4eb5ff900fa98654ed3c4de450539f80dda2f2e03a6303f781937ecbd4
Formbook
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
Formbook
7a16dce8bd82a023e48ceed80a37c70de9859cba4764686bf41b2b14df81ce3a
Formbook
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
Formbook
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
Formbook
9a11023aa7479ba614e1287f7acba0822e95d707810eb9165cf994742d5eb34f
Formbook
fd8ee1def801bc959d1fefac476f1adea2c6d66f21fe1c144e53e4b1fc92728c
Formbook
+ 18'590 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a4b0 rat spyware stealer trojan
Link:
https://tria.ge/reports/221123-e3netsef7t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
92517f96cf0ea92dbd830c7a69d66c75a0d322d52361d7078b2ab8c4ac954129
MD5 hash:
799a5a5beca91a5a079b4c0f272fa43c
SHA1 hash:
6a32981af85f0fe86371fc1e651c894530feadac
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
Parent samples :
baf5d53f07c0cc8ed9ba7055cc91a18b936d0342e0792f618ee6846cbb8859b6
c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848
0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a
SH256 hash:
cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72
MD5 hash:
0403b7f4765e08a2f74690caf1a82990
SHA1 hash:
b0e9f69b8c337b605edecdcc3345c6f0045ee04e
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
SH256 hash:
51b97a886e1601c7a9be446c11a4eae0c2714b7bc88f8569952e14be4af5487b
MD5 hash:
7e5e809c0ebbccb3a07f24e918d126e7
SHA1 hash:
c7dbdb920b6ebef710df16d1bde2d75ecd7e4270
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
SH256 hash:
2fb3275e2853b0b04bafd1417f8dca4c04e24336c62126e06c110665883a8f20
MD5 hash:
03bba401e963924dfd0fb5b55daf426d
SHA1 hash:
38132b53f38d64674aba052a9d1fe47de01e0507
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
SH256 hash:
bc98e487bed5993b3e3a3be4d540702a0bf4c8144e77ef69d518e4687c33a9e5
MD5 hash:
3974f5769d3b304fc777fbff679f62ba
SHA1 hash:
0a038394581fc29078a75f13b2da079b8094ae6f
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
SH256 hash:
0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a
MD5 hash:
c78e929a5b11f83aa90306f498a4d6a5
SHA1 hash:
b4f6949742a6ce9e9610df636aafe7743883db64
Link:
https://www.unpac.me/results/b6908a08-0abb-4942-982f-5548aaef477c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0422eb91595e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337443/

Comments