MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039
SHA3-384 hash:	5045fb7813c15ebbde55c984082e039aeb786d5ce1c57a02dfb567124197d67ee65bf2092a176e5432b81386432556c0
SHA1 hash:	ede587e62720c16906fe078a15caa33d9f91d1f4
MD5 hash:	2e5825850139879d234fa2eddad41bc0
humanhash:	uniform-glucose-nuts-fix
File name:	SecuriteInfo.com.W32.AIDetectNet.01.637.5381
Download:	download sample
Signature	Formbook Create hunting rule
File size:	732'160 bytes
First seen:	2022-05-24 15:35:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:zW6GKkF9qn2VNG4omb0xCDXjKHpThSJrtLRMOJI9kn54hFWJpk8AwVdyz:SMrn2rG4j5QpTYtNMOI9Y63WJpkoVg
TLSH	T1D6F4F10473A6DE13C21D16B6C0D3492403B5998793B3EBDA3EC926DA0D067E5ADD878F
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.637.5381

Verdict:

Malicious activity

Analysis date:

2022-05-25 00:04:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0e21e8be-4347-49f9-b1ca-e6d12f495559

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/274164/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe update.exe wacatac

Link:

https://www.filescan.io/uploads/628cfb77945ebb7eb178e530/reports/c5aef466-d5d0-4dde-9ba3-cb1d0c1ed401/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ae61ca3c-da7b-4e8e-b975-7499ffd95fa1

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1000814

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-24 15:36:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bxcrzqd3npybgrmmky5l4snhuezp4afzvhma7k6c7q52vig6ua4q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:n4w3 rat spyware stealer trojan

Link:

https://tria.ge/reports/220524-s1wv3sbggm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

43cb3fd1fa3c66f18cab67a9b7dbd96198dc040995c420f773976b4bc7faa7a3

MD5 hash:

c2be74275ac7516a986ec1c3e0e5900b

SHA1 hash:

1a6f184cc6ee663b098865df912f31111e68a50a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

Parent samples :

f6acdf84ba27d835f11aaeaf29f71eab77a592fb6fea7a06d76bcd1d9228171c
e7962cdd23b186bb033234ee3275fef94db2650f2a15fd78b25c8a2662effc80
2e55e2c67fa00e3e955098409e3ee4037367af854f657cbbc83d5931b4355c36
0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039
9cc59c41a1a4636cca3666a82734007019864ad4657402a67a7956cf7c0342c5
855a1eca9c5b0a87ae4bd3c993fa9582807db1f7620e63d558f310826f17f5bb

SH256 hash:

60195b5a4a889ead26fabcccbe8c1b310b3400d21692bdd12af8b5131d61d7bc

MD5 hash:

cf2c3eca8c6adfa05b21fdcb48a58aaf

SHA1 hash:

e51fc9c96691cfd2df1590094399ae62ec24c4fe

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

SH256 hash:

9be6cf29ce1f1e43a19650aae3c4e08b5262750438e2f9819c457a477d54cd90

MD5 hash:

79ea3f509fabaf5d7cb317e67e3691c9

SHA1 hash:

dc3f927f82e688ee567c419a7e939a2e31086c2d

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

SH256 hash:

a936419b701428167d1f2f6a35242a3d1b4be76314d370e3cc10654d2b46c700

MD5 hash:

782855252a5c7e51f82bc13df062af6a

SHA1 hash:

d1a28186aad122075734ee484adc541a6316099d

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

SH256 hash:

bd66f6af94742813e09df2533e65e69acd7d1622e58d343bf13d1a92fed40f5b

MD5 hash:

f2db0bb5141ecb5c6ecdea964dbc326e

SHA1 hash:

14c54c49ffd6b6e801dc2812048e4327d8ca0b1c

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

SH256 hash:

0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039

MD5 hash:

2e5825850139879d234fa2eddad41bc0

SHA1 hash:

ede587e62720c16906fe078a15caa33d9f91d1f4

Link:

https://www.unpac.me/results/7019b980-70a4-4519-b3ba-6b1b1ee4c7b0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0dc51cc07b6bf013458c563abe49a7a132fe00b9a9d80fabc2fc3baaa0dea039

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274164/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample