MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e
SHA3-384 hash:	87619af8824f5221fed167486ad0d7dd5c69d9744665c5721686b72af05e076e1ab1caf00eb8e87959fa8b08141ee25a
SHA1 hash:	726f4c04c3b78e883da1b5f6b0535c20c999e299
MD5 hash:	0243fa69047244a6fc52e0f81597660f
humanhash:	undress-delaware-east-maine
File name:	SKM-20220720111005LBB.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	13'824 bytes
First seen:	2022-07-20 11:31:46 UTC
Last seen:	2022-07-20 12:37:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	192:mPyOQsH0VmzjvcIyudW/YXsLJI8+ze1yG:kRZHbjvcIydK8ESy
Threatray	17'587 similar samples on MalwareBazaar
TLSH	T14352C78FC3C8A671D57A4A3FA91193B60654B786CCBD4E5F34347826B9333C20662E27
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9b1979616969612b (42 x RemcosRAT, 6 x AgentTesla, 5 x Formbook)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKM_20220720111005LBB.7z

Verdict:

Malicious activity

Analysis date:

2022-07-20 14:15:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/270e3718-ecda-44d1-b099-104fbae275cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292906/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.28436.28212.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Creating a file

Searching for synchronization primitives

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62d7e7cfee649612ac5d0ffe/reports/c175b36d-ebc6-4ede-96aa-69578522aba5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037427

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2022-07-20 11:32:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=chlnxznm2c4nwcqltpnu77vmnwrkrfw6f336krx6cbgjkiha7cha._file

Verdict:

malicious

Label(s):

formbook

Formbook

1f72cb6a89b2416ff755cd63ae5bd2c0016846f5351227cc80e2242060e88a1b

Formbook

6e4f0f6801e6dab5b20618dd2b1588cb0ea9662873907c6c2685c6c6c1c5227f

Formbook

7163a32593b5045deb3bdce59153aa423a4fb8a7b155d233040945455e9c23fc

Formbook

71c9b0d05a25ba87205c066a3a7cc5c1932834114954cd6e550d10171af6016d

Formbook

75e628b04a020bbaecb3f61430c996aadb9d4b6f4f6396581922004b57404c05

Formbook

b3b51bb4c984b8c02326334c810cd98e60506e2fda957a542b75ed8886bdc96f

Formbook

b86b7b4da2727c0fa8859c368f7a135eabcc3f732e0f923567ee2962b372389e

Formbook

efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff

Formbook

f07a598af4561c05a03cd5aeb3030b5b49bd15b8bc53ac900397a07c76068e08

Formbook

+ 17'577 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220720-nna1maehd7/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e

MD5 hash:

0243fa69047244a6fc52e0f81597660f

SHA1 hash:

726f4c04c3b78e883da1b5f6b0535c20c999e299

Link:

https://www.unpac.me/results/f258eb46-df8d-40ea-882c-e17913839e2c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/11d6dbe5acd0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292906/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample