MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86
SHA3-384 hash: 99c9b89cbc0426e0ad6d149fa85236b4fee9bc81d76f191de3417609416e260fd150aaa56b24affdb317dbba7dd0c329
SHA1 hash: 55d2a699507363029e9c46021aa88c2e001004b8
MD5 hash: 2e940d2cbe3d110e326a7c8109520661
humanhash: sweet-spring-vegan-edward
File name:e-dekont.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'142'784 bytes
First seen:2024-02-05 14:40:53 UTC
Last seen:2024-02-05 16:40:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:kqpCrAaXYykD9c3hv6yjv1EOgKquenEs4Gipu2PgrFEDRCsEfbSpC9aLafOfYkhE:TpGIr9cx9v1UmrGqgrmDRCsEJ9a7V
TLSH T1B5356DD1F150C99AE86B06F1AD2AA43021E37E9D94B4C10D599EBB5776F3342209FE0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474729/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c0f388b012cce0edbd4c94/reports/064fda48-a7d1-4009-9ea7-8170b06c6c6c/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7529e5ea-e070-4ef2-8f55-99a5e1211807
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1386846
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386846 Sample: e-dekont.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 92 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected FormBook 2->30 32 4 other signatures 2->32 8 e-dekont.exe 3 2->8         started        process3 signatures4 34 Injects a PE file into a foreign processes 8->34 11 e-dekont.exe 8->11         started        process5 signatures6 36 Maps a DLL or memory area into another process 11->36 14 kncQaihMPjPUbgcSxWA.exe 11->14 injected 16 kncQaihMPjPUbgcSxWA.exe 11->16 injected 18 kncQaihMPjPUbgcSxWA.exe 11->18 injected process7 process8 20 WerFault.exe 21 14->20         started        22 WerFault.exe 1 21 16->22         started        24 WerFault.exe 21 18->24         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 05:07:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=at6ls3josabepodxhxc76ednm462omxm7my6laijcm6arylodwda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240205-r2fd2scbfj/
Behaviour
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a99197a2e3f477d15802a9b2250a01f7cd2be8ed435141a4e280307f2a7f2b7a
MD5 hash:
9ac50796df27f8b3977d71000d15927c
SHA1 hash:
dcf769debf4522b0800188ab9cbef26d1dbe8aed
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
139096e31122f9408e1964afea3240f6456a1f74ecdd684621e5b3838255c544
MD5 hash:
1df09da7eedd7ddd7dfa19d895d4f885
SHA1 hash:
e80e3629fd031a2753f4ac4942d93e5f27027e97
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
b12806cfc459d707518ce982849166ca99e95df5e05d4bc7bde7d3f4942cfe0e
MD5 hash:
7c59960bd60eda6f3da4824d1dd30e5e
SHA1 hash:
ab771360df8926364dee0758a6fb6814576fd03e
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
971c821aa19832e04f1dd44b19cdb909d36d27be2f9e62edd10bf7887a43d15a
MD5 hash:
6d7a285502323918820b8513b5f33d75
SHA1 hash:
9633177bbb29c2563fec4a7dd381f4a278588437
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
0fc9372e4cb9d07d1cbdad67ccb5162d684ec84572fabd96e040cd73cb341ffa
MD5 hash:
1f6de86d40a33685d68f62dc31080b05
SHA1 hash:
b0d939b41ec7e756f247e6f817efe2263dd923b4
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
82de66769a4af899e42f6256ab2507eb85d4a45f86968da44eec846cf7200063
MD5 hash:
e18b6e71311d71ba0ded28ed0d2c627a
SHA1 hash:
63481b9ab229472cc14dfc4406cdc9019fff77f4
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
4963bb2f8b536d77721f2b0d5fda929dee4328d3e55a8804c445d87388b34244
MD5 hash:
8f686c756dcd2048a53daee124fd4a8b
SHA1 hash:
4ec62b75661fe79238eaf2e05392ed6e0be89652
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
48272a87e32cc3052443dbd2d19976c17b014af52429da05a70d437b2b750b87
MD5 hash:
3c0306c88cc14a2878dc71de6fda57d2
SHA1 hash:
482d167bdd606829b4bdc5078defb787d96f133e
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
8cec55819a1479e9661d2a82c69943777bca3d08e64dea2c230fa08bd6c021b3
MD5 hash:
4654fd4e8c13048d008d8ab99d6c2516
SHA1 hash:
38fef7e70e059b0ac1edcdfb659ef9fe06009c0e
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
56c51bc07e6b2022cc6816a3ac9308db997919f74066ed8b56da057bc4aec1ac
MD5 hash:
a578277c40aa523d3ea434b9dc929259
SHA1 hash:
29b6153929e8e71b61768210e8ffa3747b1bf528
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
SH256 hash:
04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86
MD5 hash:
2e940d2cbe3d110e326a7c8109520661
SHA1 hash:
55d2a699507363029e9c46021aa88c2e001004b8
Link:
https://www.unpac.me/results/e1fe053c-c406-4c09-854d-79aaec312751/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04fcb96d2e90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 04fcb96d2e900247b8773dc5ff106d673da732ecfb31e58109133c08e16e1d86

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474729/

Comments