MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
SHA3-384 hash: 427711d348ce7d0bbb215064c10d70080cb6df3dd5467fd9cf557a892f7a2b90cd8783dc9bff07a0df73b912ef7996da
SHA1 hash: 56746d263adcaea5bd566a5bce8ef2c153b68e10
MD5 hash: 68b6567486d97423340703b5e8130d8b
humanhash: black-carbon-maryland-lactose
File name:SC_TR11670000_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:704'000 bytes
First seen:2024-02-20 19:19:50 UTC
Last seen:2024-02-27 11:43:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:rHMPFA1uqHgL16iuWgveLqd/MJHnsnTy7fT47Nbv58RE1nqEc9JVHTgY:70FAMqH6ciKi+/yVAN72JEcRH/
TLSH T1CDE4236039496577D3BBB2B9011192D802F5E503357CFAAE2FE538CEB6A3D2C471E225
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00d9f8e8c8693204 (6 x Formbook, 4 x AgentTesla, 1 x NanoCore)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
316
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477130/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65d4fb6bc5e1a083fbf32d82/reports/e1292038-6a18-4233-b596-143532953913/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18b784e7-761e-4b97-9a2c-dd9e2612879d
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395608
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 02:06:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnrvww6p357rcvavzvzftdftq5cbzn6q7tjk2ojxon74ahafzjoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240220-x132lsdg2w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
78d6d8fd9900196806296a6f6ba9f6ff821e69761284ed08e4d2cb5ba68d5edd
MD5 hash:
c911ccbfe23a3f3835377090673f24d9
SHA1 hash:
da26b2a0c791df1ba9c21953567ce992997ddb08
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
Parent samples :
d80d15764111eb80aa6f43d95f3effa13eb47c43937a578d78692769953defc0
0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
d7eab9eb726b311e97b0c71522363b9223f767f7474c5cbf4d9bf0df9c4b909d
1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763
99508e1f259485c8c1a9b8a6b60c2fa9355caabd41e6c78854252cfa397673b7
SH256 hash:
b3f2bcb08ae6ed77b51186dc73ac27afc31c9e3b175914fbc7e932a053024057
MD5 hash:
8edcf081ada9f28a2722afb40ac6e099
SHA1 hash:
9a1d6568a6063fccac7eef51a12cbdaa81b82262
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
72638f4b30cc9dab51d31216991957bf1cd118b8a8743227b3e8f9c4805f7628
MD5 hash:
2a8240bba06e832ee5d136a0a7e5b5b9
SHA1 hash:
de49d9b33004a4a622a4279b3ee2b3e3e5cd012b
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
a06d6e124b90d892c7116351468932170f676f3f0f3afe88805f4307513ae124
MD5 hash:
886f06db327f0f6b3e5767778d5a2f9c
SHA1 hash:
6d8fa4c92ab3094d6114c20655250e3638f7cff7
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
ec592062c41d26d7046ab135fbabaf80e69900ba940ca654261cda17109f8769
MD5 hash:
09f7fb78314d30bf7c69d72caa9da978
SHA1 hash:
5536e0f86fe6e36f11e5ba03a8f559675dd82f30
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
42e5bbee4b498550f505c1232326adbf9d5d23c7e90174eb142b4963b879fe7b
MD5 hash:
100a8095e042378d2c227eb0ff37b6d4
SHA1 hash:
32c4a6457d7c01e9e135c3750d571114bc0ef3a0
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
cbde7974e88068da7b4456a65a9ad120dfd435fa6fba15f5f82cc212dadc2296
MD5 hash:
cabd22314a387d58316236a6514d4f88
SHA1 hash:
dbc55b91edd68ffc3cfbe611af9a45b9fd494d80
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
28d64bf0ad97e65488987a5b16ae5f1cf01a9764f864e8c49daa4ac02a46057a
MD5 hash:
496e4a31f1eb40671ea26f717c4544ff
SHA1 hash:
b5863b086b152d6438266338f0a4bec9462f5509
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
fd8baad092de6cef1511fcb8be67a3544d96c0da30a04800a3b2ac7861c7f219
MD5 hash:
3d890f5a62aac3b963022c9b4b116d90
SHA1 hash:
79a17ed9871452f1c6cdb0294e7b3f512366010a
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
397877a736016f74d9c12c5ff388891d00457a5235d45f34ae202693d1958b52
MD5 hash:
e648e2f812e0075e2c866b4d6c3d9e16
SHA1 hash:
78d0d19e1afb23e93a270386937715a3fc83bcb6
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
498d28b55fdbfb39c3cb42bf88e779e03edae1d6dd70dd19015ac2063ef1a05b
MD5 hash:
fd2f8b9a3aa1e66049dd817ec80ab964
SHA1 hash:
7138f105ebd2d365dfa06a5c3724385a015bff3e
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
89c8ac0914439d5c7a33bb149909026e7a345035e1bb4d5b3398ec30fdb3362e
MD5 hash:
115a094d0c79b6df3427d7f60342b3aa
SHA1 hash:
10ca5a7897f8be42c5fadf3a1281c41e619ac6a6
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
SH256 hash:
0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
MD5 hash:
68b6567486d97423340703b5e8130d8b
SHA1 hash:
56746d263adcaea5bd566a5bce8ef2c153b68e10
Link:
https://www.unpac.me/results/16c69533-a3f8-46e9-8bc1-6d4e276041ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b635b5bcfdf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477130/

Comments