MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e
SHA3-384 hash: 0ae51371ab8b897e81e12adae99b1e8678fade9ab5a03e59994c4509a026e77b64a0ffd74fd95cc3ff5b24a5e31d7afd
SHA1 hash: a302170c22a0118082963063eb8ac9dad952e8b3
MD5 hash: 633decc4f33c9f6cdabe3cc19fedb91f
humanhash: oxygen-hawaii-tango-fillet
File name:SecuriteInfo.com.Win32.RATX-gen.9957.27742
Download: download sample
Signature Formbook
Create hunting rule
File size:720'384 bytes
First seen:2024-09-24 08:20:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hOW4zMn+PRmAVvalzzHA9U47wLX0V7s3HgaJQ+lO9FmKn8bQb:h6PPNizzHT2wL0s3AaJQ+lO9MKII
Threatray 733 similar samples on MalwareBazaar
TLSH T15CE4129026AAD903C0A21BBCA4B2D1B8077C9D9CBA03D3079FD93DFB7D367526941752
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
571
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.9957.27742
Verdict:
Suspicious activity
Analysis date:
2024-09-24 08:24:45 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/4f61691e-f1ad-4bc9-ab60-cafc06f5695e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.9957.27742.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f276738aca58c2b2c709cb
Tags:
Execution Network Stealth Msil Agenttesla Monitor Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66f276778687fc2f92d382c1/reports/354a11df-587a-4fa9-96c9-61ccb6030e82/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/767979fd-8712-4913-93b7-ddfb2b6f63b6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516478
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1516478 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 7 other signatures 2->52 7 SecuriteInfo.com.Win32.RATX-gen.9957.27742.exe 7 2->7         started        11 mwzjUGDzC.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\mwzjUGDzC.exe, PE32 7->38 dropped 40 C:\Users\...\mwzjUGDzC.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpC179.tmp, XML 7->42 dropped 44 SecuriteInfo.com.W....9957.27742.exe.log, ASCII 7->44 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 7->54 56 Adds a directory exclusion to Windows Defender 7->56 58 Injects a PE file into a foreign processes 7->58 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 SecuriteInfo.com.Win32.RATX-gen.9957.27742.exe 7->20         started        60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 22 schtasks.exe 1 11->22         started        24 mwzjUGDzC.exe 11->24         started        signatures5 process6 signatures7 66 Loading BitLocker PowerShell Module 13->66 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 WerFault.exe 20->34         started        36 conhost.exe 22->36         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 08:21:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=barr34sr5ilmhfo3d5fu4f2elq4wgfxyymgbfmggdu3xnw476rxa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821
Formbook
3da6c537f48990ad2f7bf459249e9ebf35aefd90d32d5b3f41c2528f1d0e4556
Formbook
458e5bd8e3508c15449bfd4c9931a59cd2a6a95ed9e6bb5b0090aa6641a29c77
Formbook
58cdcd2f49080d4471ffd169eb6cfe86f9efae01e45423492d0e31a4db510d60
Formbook
7f24d1a1ac882a4e9da16afa9f05464cc7b4a59aa42edd8855543a10319f5be4
Formbook
a9ca3955156a843f095203a36d37f40d305926be366fbc1238e73e8590284655
Formbook
+ 723 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240924-j81dss1bjh/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/12d774ca-9379-4f7e-a1d2-aff1b164c5fc
Unpacked files
SH256 hash:
5d9b65021548960a11e2548471277b1d19fc3d19843ff3d4df93debded6f30e1
MD5 hash:
c7fb3e3ff097f8dece2518cf837cffaf
SHA1 hash:
5c7d112f9400d672d59d1ef4458755c720bfe284
Link:
https://www.unpac.me/results/a40731c5-f8c1-4f50-87fc-dc39533d42ff/
SH256 hash:
5202101220bb6c21ba32ff14bd8bf184a68de0a954413b30bc110a8ca67b8f34
MD5 hash:
af6ddd62ff903a92ba04f4877634941a
SHA1 hash:
7e0b4a9e02dbecf1a94ccf86f9c9bacac31643dc
Link:
https://www.unpac.me/results/a40731c5-f8c1-4f50-87fc-dc39533d42ff/
SH256 hash:
3fd07788dbda2eb6e498579c2ea318858fe2d7dd6b35894e8597d92a35874e8c
MD5 hash:
b9f7d602e47fe9871779c04f9ab6fea5
SHA1 hash:
a068be7e4fccc3b0292e1e8f320f5582a41094af
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a40731c5-f8c1-4f50-87fc-dc39533d42ff/
Parent samples :
3af2cf1340e218f736daae6f75e1b3f3f409fc41bf2a13a3c6ea84f9a36141c0
08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e
8808b82d080684db0bc564d18bc86ee2cd93b541d495214a02f728334c34d62c
9c1dd67562324157ceab4d8e050c84150afc6ddff6aec72206ab437c31aac7bb
8e4656c805621f5b8d18f090c3416d4a23d13e985b1fec1c86dc8586064c315d
SH256 hash:
200463dcd39387dc8541f7e3816660992d488b5ac312870f31062c0967950e6a
MD5 hash:
1231fa4441d64814044b80f5a4ae065e
SHA1 hash:
5952dec61762b9240b8b03b96e554049ff7dc98a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a40731c5-f8c1-4f50-87fc-dc39533d42ff/
SH256 hash:
08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e
MD5 hash:
633decc4f33c9f6cdabe3cc19fedb91f
SHA1 hash:
a302170c22a0118082963063eb8ac9dad952e8b3
Link:
https://www.unpac.me/results/a40731c5-f8c1-4f50-87fc-dc39533d42ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08231df251ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08231df251ea16c395db1f4b4e17445c396316f8c30c12b0c61d3776db9ff46e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments