MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af
SHA3-384 hash: 1d5abbda4a56104e3abefab4d728c1984beb95184e20f5f321f6fa8e5268fc72d462bcdfb78622b2c2da4a046f112cb4
SHA1 hash: 6922b1707b477d763b03ad145990b9b002ee7c68
MD5 hash: 9f5ba5a1bcd059ec94f485383a646c7a
humanhash: pasta-failed-sink-carbon
File name:SecuriteInfo.com.Trojan.PackedNET.2158.30221.21056
Download: download sample
Signature Formbook
Create hunting rule
File size:930'816 bytes
First seen:2023-11-02 03:19:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:q05b3nsa9x1Lsqb+5OLGweqWQmSreZUqiQG73Ny+9Kmizpfdfs+4xtoCDCb2SyvR:qzuGwx5mqQi34DtZdU+4r8iSyv6L1vW
Threatray 376 similar samples on MalwareBazaar
TLSH T1FC15953D68CAA526D638F296C430EBD6F243B7463783C94A7FC24B6DB41232976D518C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457737/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2158.30221.21056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6543156b72356e4f29ea932d/reports/ffb30d40-05bd-46b8-911b-994c1921172b/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31993765-4bf9-4e40-a151-18edea7fa6aa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1335810
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 04:36:04 UTC
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awxzwbude6l2s55e6xcbtlo2zwgbkrjuceismcn7jxk4medhe2xq._file
Verdict:
malicious
Similar samples:
2be71dbd5717aadd41efe306affff9fb63675adb1dd4f1a5a7b5d123c4ba508b
Formbook
43cca960cf8ff8457d36ae8b59d7a335bdda8197867459a060774c49e0482c83
Formbook
49d9f493a484d19fd8daa4dc979eadc8f04c41de54dff21fab6959c106bf54bf
Formbook
4d25ec738f85928f32d25339810540921b92af4c6ec33369a80ad5f0dfb6d07d
Formbook
5fb756286d572b94dac56ac37ef20f096fbb55f058b6c5189f79d88e7a6bbc6b
Formbook
8f4a4002934b09591e8b6f95a9ec20ff0ae4ddc48dd869bd76fc9d9f9c59f72e
Formbook
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
Formbook
a8bcd0c092e58ed3f50b18ab33e451bf7db8452f6bd7d0a27927bd201a3a61c1
Formbook
bda72294edeb129266485f6fb9fc13a882e363200e61b8052aabc0a1f5c9f055
Formbook
ed9b32173b779e331be0019ed97ce6a3ed4e651c4660e1825605043d18addbc6
Formbook
+ 366 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231102-dvrxlsff6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
4c3539d21ea3013fea7040e17578eacd4ec325000d4d6c095bbb74b5f08f32ef
MD5 hash:
900d6dbb3a59fc0cb6899a0eb01e6d49
SHA1 hash:
fd3f0ecce563ef95dcb6019829daa2247df133b7
Link:
https://www.unpac.me/results/1a79a7cf-6353-4909-9930-307e6e244f4f/
SH256 hash:
00dc3a719e25b75930baf2d69e109229a752562b84e2e73db7823f373a0deb51
MD5 hash:
a9df754c8f8ea27fe333e0eb5aafcb05
SHA1 hash:
270fa47e4ccc1f430c2addb8f66cf6e1b65d7442
Link:
https://www.unpac.me/results/1a79a7cf-6353-4909-9930-307e6e244f4f/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/1a79a7cf-6353-4909-9930-307e6e244f4f/
SH256 hash:
3429ade755a087aa29a5147854410ce671888bcce1e7b1cc880dbdfb056050c9
MD5 hash:
c716efc0630c7e6b86d3501e61f4c297
SHA1 hash:
54675ebb5db599da92480aeb4f26d31f1fccd983
Link:
https://www.unpac.me/results/1a79a7cf-6353-4909-9930-307e6e244f4f/
SH256 hash:
05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af
MD5 hash:
9f5ba5a1bcd059ec94f485383a646c7a
SHA1 hash:
6922b1707b477d763b03ad145990b9b002ee7c68
Link:
https://www.unpac.me/results/1a79a7cf-6353-4909-9930-307e6e244f4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457737/

Comments