MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0514ab522ec1de0af5ff4f0026c2ca19f740c5797d3d561dcf63095709b2015f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0514ab522ec1de0af5ff4f0026c2ca19f740c5797d3d561dcf63095709b2015f
SHA3-384 hash: adc237ab5c9dd4adc54a15ccf06cd53bcf800e8d56c43844eff51a41ad2316793f1c32c6224d1b2c7fc60f130e7e46aa
SHA1 hash: a09c60efc648be4a28e085ee2104165006646163
MD5 hash: 551074d991a6d76c241b5b13bb843c80
humanhash: stairway-king-ack-blossom
File name:SecuriteInfo.com.Win32.PWSX-gen.8451.4496
Download: download sample
Signature Formbook
Create hunting rule
File size:942'080 bytes
First seen:2022-10-05 09:00:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XPsR/4vecUw98NuuZ0z96gbGf8LnBbCEnIOK:fO4vecUa8tm96QGf8LnB5I
Threatray 15'661 similar samples on MalwareBazaar
TLSH T14415CF3106E6DA0BC4165238DDD2C3F06FE85EA4E2B6C3474FE9BD6BF44B4B6AA11144
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4c4d4d4d4d4d4 (6 x SnakeKeylogger, 5 x AgentTesla, 5 x Loki)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316770/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8451.4496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633d47d1d089a0c15dd54d98/reports/c9e604c9-8fce-4357-8e52-535d89f5ac04/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91545803-720d-496a-9a0b-ab4d36789a6d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083960
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716517 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 6 other signatures 2->54 8 drgnVSs.exe 5 2->8         started        11 SecuriteInfo.com.Win32.PWSX-gen.8451.4496.exe 7 2->11         started        process3 file4 58 Multi AV Scanner detection for dropped file 8->58 60 Machine Learning detection for dropped file 8->60 14 drgnVSs.exe 8->14         started        17 schtasks.exe 1 8->17         started        40 C:\Users\user\AppData\Roaming\drgnVSs.exe, PE32 11->40 dropped 42 C:\Users\user\...\drgnVSs.exe:Zone.Identifier, ASCII 11->42 dropped 44 C:\Users\user\AppData\Local\...\tmp8FC5.tmp, XML 11->44 dropped 46 SecuriteInfo.com.W...n.8451.4496.exe.log, ASCII 11->46 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 11->62 64 Adds a directory exclusion to Windows Defender 11->64 19 powershell.exe 19 11->19         started        21 powershell.exe 19 11->21         started        23 schtasks.exe 1 11->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.8451.4496.exe 11->25         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 27 explorer.exe 14->27 injected 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        process8 process9 37 svchost.exe 27->37         started        signatures10 56 Maps a DLL or memory area into another process 37->56
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0514ab522ec1de0af5ff4f0026c2ca19f740c5797d3d561dcf63095709b2015f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 05:18:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aukkwuroyhpav5p7j4acnqwkdh3ubrlzpu6vmhopmmevocnsafpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f
Formbook
4072ef77c0ab086cc41e0e997d147b0bf5e8473db4c34eaa4a9024fc7207c18c
Formbook
408380ef1cec0eb81bd2068b1391da2b24e378c52fca48c94b922d9a0cc57753
Formbook
714e4e1608cc5486e6ebbb112c3dda90ce2398d346539ef636adb31d5268ee58
Formbook
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
Formbook
939449a87190abf31d57482abe60fe159bd807abf7716daae0f0b3e217dba0d1
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
f281fed414237c484d936802d8bc112995ba6df5c9485207a284b8fc31edf2e6
Formbook
+ 15'651 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:uymo rat spyware stealer trojan
Link:
https://tria.ge/reports/221005-kywtasdgg4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8eca9533-453e-43a1-9e97-4a785b39bd00
Unpacked files
SH256 hash:
4a0f25ba5bfa58f0da9d5d8b3a5fcb8410768dba642d1ed49055992ba6b424b7
MD5 hash:
61124d94be8974bcce5368650b3e6628
SHA1 hash:
96108297e87b81bb05e725ef111822d47d866978
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
Parent samples :
9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
fbc14992308d88c7a33989479793655a4ff4c9caeb3c011f6e95b11c55f675ef
91c69e984e53cc30d77e21fcb1a44044fff62368ee2740f04b3b26bfb82f2967
e3ac8c8b67752d68d7c6b20ceee1fd8d60d8506b0da5cd589c6e5976ecf8b0c1
310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190
c09cee65ae5836198280c323cb525a699721d2c02c8c83ba0ff61189592774f4
5d83498b9c6024ab916f54e78a7af7cac3f2e2fa3a9b8a347c32e0dd946ac753
SH256 hash:
cc8d00bd20e65f242e9dd5f769d3f4db614b79dfd8866d9782a0c6cef1e304b4
MD5 hash:
0ceb5c1d97b423df5f236c7ff088942b
SHA1 hash:
d5ff267189a16c064d3bd20c45faa086d9379cc6
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
SH256 hash:
7dd6a2398484e5c06f2dd7134b4bb60ed260bcc4f8102ea18d571121ac158ad5
MD5 hash:
444b8e5405e17c3928eb6358b69add23
SHA1 hash:
e6736cf41532058e5ce06ebe4ed525f5569ad278
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
SH256 hash:
5fbdcb76c77563ed3d729fdca3396169c54443253001cf9b1b6b75a0f75cdcb4
MD5 hash:
629c31e71cfa6aab7a62bef45298816c
SHA1 hash:
932da9270d08d3b97ad1fb75e3d3180481f91096
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
SH256 hash:
edf72c343da0bacc4db70022f8cef3216e56a35c37ae873d39b16bad8a951aa2
MD5 hash:
f272315795dd75ff8bde6dad2b97ac49
SHA1 hash:
7bce2daa449cd1c7a0f165f38bd2d8b22fe8a30d
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
SH256 hash:
0514ab522ec1de0af5ff4f0026c2ca19f740c5797d3d561dcf63095709b2015f
MD5 hash:
551074d991a6d76c241b5b13bb843c80
SHA1 hash:
a09c60efc648be4a28e085ee2104165006646163
Link:
https://www.unpac.me/results/36831421-2977-48b3-8991-d475a1950637/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0514ab522ec1de0af5ff4f0026c2ca19f740c5797d3d561dcf63095709b2015f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316770/

Comments