MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff
SHA3-384 hash: 3d2bbc634fa217c8f63e8bdef4be6ce1ccb0e85334ea65bf78af147fbbcfc725e4c5a50e16f5f3e4278d762a42825eb0
SHA1 hash: b4de3f4e4a14fd1bd4097adc0a8c93b54c18d091
MD5 hash: 751b6fd81898d660445aa73dbd12878c
humanhash: cardinal-may-chicken-muppet
File name:SecuriteInfo.com.W32.AIDetectNet.01.25914.17421
Download: download sample
Signature Formbook
Create hunting rule
File size:1'080'320 bytes
First seen:2022-05-18 09:34:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mTqpRuphCnHSDWjJRGqcULk2ZW6zIpQbHL91pxxvIbBonl2zjABQflJrF9tkgGZM:BweC0kcW6MOtDQ1olOjAgSGpD
Threatray 15'852 similar samples on MalwareBazaar
TLSH T139359E44B244BCDFD4074D72CCB99C206124BE5A822AC60F35537A7D98BF3936926E9F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b2b2a8a6aa928e8c (9 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.25914.17421
Verdict:
Malicious activity
Analysis date:
2022-05-18 09:41:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fa03c64-5522-4460-9278-6b279ff2edc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272009/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.25914.17421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6284bda8d06ea2f4a07477ca/reports/b7e21536-80c2-4f7a-8bb2-e4b38cdd71ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b1c0dd1-1e50-4a88-ac99-15d907b550a7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996649
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 09:35:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azkepfr26pyzx44vteqe65qxozhlyzydw6k4wwki25ta4aojkx7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
38dcb9b9943a8e9c79592af3c754aae2feb84c832e7111828224f2bd663f3d82
Formbook
5d199f6e3b18707bf891e790552a097e326cb170308a95d4915b1a8e1718a4cf
Formbook
68a837f8646bc09c634d13045d36ee05f43f319e88c2a47295d01c47574accae
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
786d7fef1f6b313461e01a67b89db558dfd79a558a2669e73ee0483717600bd0
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
Formbook
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
Formbook
+ 15'842 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:v22n rat spyware stealer trojan
Link:
https://tria.ge/reports/220518-lkcc6sbadj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
668cbe0a93489313a99155f7f271ecbeda6af710c74c300382b35c967cb0ae88
MD5 hash:
1b3228731d7dcfc516ca42afb025e2a9
SHA1 hash:
355cfea2cbacd0ebbea68edf1914fef0651f9a6c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/addcd998-7649-4b04-957b-3338bd5e9bd3/
Parent samples :
ea2658a5a9c2e881e0b36d923947e1ea742ab6f91071d80be1f9977cbe6a96c2
bf9fc9f690971624a76b90184876db7aee742ffe51309340fc7db584d3441876
065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff
b9959e90aa4c3f30ba809d83c2f5fe0e4a2cfe1be7aaa0a7c503221de6b2b4ed
SH256 hash:
d991350a12cfab6747c047004c323117f78fa52d9eb8916453198b82ce62cdf0
MD5 hash:
9a2f8ce66bb1f257a648d70a55a3f1a8
SHA1 hash:
17eb0c6efa87eef776b3f0f0a175d2f7d8fd25a5
Link:
https://www.unpac.me/results/addcd998-7649-4b04-957b-3338bd5e9bd3/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/addcd998-7649-4b04-957b-3338bd5e9bd3/
SH256 hash:
690fbc5a286b33ba8d9d0118aedfae445a125c65657cce39dabffb28065551a7
MD5 hash:
8659d3ba0a5fb8e04124c3cdebdc890f
SHA1 hash:
1bb1a21b7ff5fc6789fef4d9336968fdbc43507b
Link:
https://www.unpac.me/results/addcd998-7649-4b04-957b-3338bd5e9bd3/
SH256 hash:
065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff
MD5 hash:
751b6fd81898d660445aa73dbd12878c
SHA1 hash:
b4de3f4e4a14fd1bd4097adc0a8c93b54c18d091
Link:
https://www.unpac.me/results/addcd998-7649-4b04-957b-3338bd5e9bd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/065447963af3f19bf39599204f7617764ebc6703b795cb5948d7660e01c955ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272009/

Comments