MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca
SHA3-384 hash: b59145f716a2b7ac0b6bcbfc0167457de259f3c7a5477c196d34cb372b59a9ca69928b018a773074f30eab650d4177b7
SHA1 hash: 150445df55b90c9ba96c8eae2b05eecd3c4bf257
MD5 hash: eea5a59ef6ef5fb0b97e7b90cb861c76
humanhash: fish-kentucky-eighteen-fillet
File name:0034687790905 -SwiftAdvice_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:976'896 bytes
First seen:2023-12-18 17:17:30 UTC
Last seen:2023-12-18 19:19:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:TGXDY6t60JcOY+nsEQnu6HCjSsZWvi6p/BZuqFBYmcCMSN8GlJGsJcdyUSHR7wC7:6zo0Nsdal8vigOSNzg2coUsR7Nkyt
TLSH T10325C33C58BD2237D6B5C3A58ADC8427F25CA46F3151ED6598DA93E203C6F4278D322E
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
306
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468316/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65807ecc7d4bdb7f8bf71ab2/reports/0bd7a661-4eb9-4099-ae6b-28a1f5dd25bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b84ab28-4532-4eec-bf6a-19f5d464410d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1364059
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 12:42:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3qru5fkoc5k7xijppzjntuz5qmdhe5dt5fzw2ay54i5dvayoxfa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231218-vt9jpsddf6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
28cd88f0a40c6733df5cd6c1f1dada9324b654d207ad86a6a1b843f324d3877a
MD5 hash:
04bf4475bc18098c1f2c56210868373a
SHA1 hash:
a8790a39aff41b5a7f29df3f3a9b4c7fd637b116
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
418ea0107febed831598bc008b707dff33c48ae2526a504cc35d3ce3ea57914e
MD5 hash:
0be3a2fbc324ce7d51fcc53090e09df4
SHA1 hash:
191918540e21b7940bcc0751d56ee969bebd31de
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf
MD5 hash:
160f4669c06c6496d79a92ea9d33e89b
SHA1 hash:
baae226fdb2a9739f118db781bdc74f2efc6a585
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
fedf0cdcfe298f2d8a242a93166b2cf3fce66a13f04d3d5974dafab8ebf79b9d
MD5 hash:
c92ff4c563150e9c23edbc3266248218
SHA1 hash:
76281026404574e508a9f4a99cf5781e4dd0e836
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
a7cbad4f28e828616f76c9f6267cd3f31b11226f0cb32dc8041bc7e1734dd7b4
MD5 hash:
f35008c6cb0f5f480a920ca6c451fef4
SHA1 hash:
f209831a398aa04005dac7dd9793495e1dfb184a
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
48e5a619268388a799f01cdb4a03b125def47fa9d871a28b03813f7b4916dba5
MD5 hash:
5787ac7077f915ee7e23f833d49edf23
SHA1 hash:
ea519f0ad859b5bd3ad62c761cee5463a2b7df8b
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
67546c014289394b8d79cf995cf76258cc5985e485fddebdb4ce47d74cd81b97
MD5 hash:
b2bd492317cda7c09ea753af0a46acfa
SHA1 hash:
dfd0c7436c48ffbc30e075ed1e597ff3cb6edae4
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
a38375a4deb75ec342e8b37ac69f625b40146e9b70d7878e3cac96492deb6d07
MD5 hash:
7be25bc0f5e70dac0669f63a3f0b10b5
SHA1 hash:
5695bd560d2f0dc9f87d01a980689cfb49ac260d
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
3db69706c05dabca1be7b0d3fa849458784cb467ba8e138af41c151a15f600d5
MD5 hash:
ca95234566380fd9f1af40aa2db2e240
SHA1 hash:
49a5be2d9a71bcfeafb50da09ea5842d97698cf0
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
16609f8e677738101ac41a30b155b711dffea0ad3cbe4184a78e7ebbc074d922
MD5 hash:
8390124f0ac0e605f8b3654bb8f0432c
SHA1 hash:
277ccaff0c44f93c863247bc82ea49663e9b21f2
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
SH256 hash:
06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca
MD5 hash:
eea5a59ef6ef5fb0b97e7b90cb861c76
SHA1 hash:
150445df55b90c9ba96c8eae2b05eecd3c4bf257
Link:
https://www.unpac.me/results/bc102d2f-a69d-47ad-88c0-bcc57a5a7377/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06e11a74aa70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 06e11a74aa70baafdd097bf296ce99ec183393a39f4b9b6818ef11d1d41875ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468316/

Comments