MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8
SHA3-384 hash:	bace0899b101b8d784133615e81b8a980e2fdca4d881e369d8ca0933dabb1dfd8ee82031780b708224d3c55a03c3c3ac
SHA1 hash:	14eaef34141dbdcd7fb8dcd7099dec4e7a49c25f
MD5 hash:	d4f379716a0b348f8860b740f8b6bfae
humanhash:	quebec-illinois-missouri-mobile
File name:	SecuriteInfo.com.Win32.TrojanX-gen.18033.12772
Download:	download sample
Signature	Formbook Create hunting rule
File size:	809'472 bytes
First seen:	2024-07-11 08:44:35 UTC
Last seen:	2024-07-11 13:06:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:TL51+wDiTxMus3fwzs+RBDM8u5EJR5TifT:pu9Yfes+RlM8u5EJR5Ta
TLSH	T11605DFA422E91F12E8B94BF55A30950197F3B91A2A71E34D1DDD20DF0FB7F409A52B23
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8.exe

Verdict:

Malicious activity

Analysis date:

2024-07-11 08:46:42 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/605288ac-3d77-4f02-a6af-0a81792fca59

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.18033.12772.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=668f9b9150cbfd4734a8a6fawin7simulatehigh_evasion

Tags:

Generic Static Swotter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/668f9b927a9d1652007039ff/reports/5c7ecb09-f404-427d-9d06-6deda144d358/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3bf9ba04-d58d-4277-be7c-ded7f42a1f87

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1471367

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2024-07-11 08:45:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b6uwui3kex66qdzyxapysakghr55xkoj5gf7zudtmtqkrqewh24a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240711-knqjja1dqg/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c361e15a-7848-4510-b9ac-633701e2b49a

Unpacked files

SH256 hash:

4996d9023ba6672ae56cd620992c4cc8614b44f67c702e26a1aed344511c0688

MD5 hash:

e4906f8f8c638b347af92318eea0332b

SHA1 hash:

7aa983f60917964ac8818ea7941b723a3d809547

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

Parent samples :

d1e3807c89e5cf0dc6541e2241cd052698319bc15ce5335bbb23352f58308bb4
77b793bb0e1a76c821c2ce95add67a09dbfb3c2aba4b8de5b09cf4eea4546f99
2b60a60cc965883183d2a376c5136c088d29da5238dff2ac9223149064e31fde
1eddb0c0fe21e1a1c1e7cbca6a89c3b2859c5747b08b0de0967de5169ed5d63d
0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8
b1352a6d15922a859937a191d75c7feecfd66a6b648e56382acb5174c797e190
b9c6ec21999ce5a5018cfc0dcadecdeb1c6f8c7ba9702d2bcaf5afbf25fa3e35
fb20f2515799981b9b526e6326f5fb1b3e54b200119ee1d02141d0513aa34fc3

SH256 hash:

bc0730dda0d779e492705bded7618914aa66efe8996f2eb7bf0193df543a2645

MD5 hash:

1994024fe3c8b93b05f5da1b7834d626

SHA1 hash:

5d34d77afb3e90534b3a1bd8e4971ba72e4aa214

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

SH256 hash:

1003d2ff1483849e6f4e0db6b88333496f6bcc97ac49e5e618246a7cdf74a2dc

MD5 hash:

8c16489e7ff6f8372e0333e150327fd2

SHA1 hash:

c1d5cb1fee5f4a4d5bf31f37f1d1c04226898265

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

SH256 hash:

78301e5eed8234a92c7193cc61049d929223c2edf6980b7e95f8b83e17f3a5b0

MD5 hash:

d36229e05b2cb13bbbe09499b1ac0eaa

SHA1 hash:

974b192b3f9ac5ec8b6cd0d3d4bddea2c13a7fe8

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

SH256 hash:

81caedd592704a07c255bc60495c3eab6c5a235af05e13e04a8bee3f0c65af40

MD5 hash:

d37f0cbc031ecaadd7fc97c9169e04e1

SHA1 hash:

32f7fe6ddbab26aacde711e31af8c8921f35584c

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

SH256 hash:

0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8

MD5 hash:

d4f379716a0b348f8860b740f8b6bfae

SHA1 hash:

14eaef34141dbdcd7fb8dcd7099dec4e7a49c25f

Link:

https://www.unpac.me/results/820b19a8-6880-4e9a-9c0c-8445dd9076da/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0fa96a236a25/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0fa96a236a25fde80f38b81f8901463c7bdba9c9e98bfcd07364e0a8c0963eb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample