MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551
SHA3-384 hash:	fa071c4dc6ff82b449279384b91e7011b9368434f8af70e8c72bf708c3fcf8704d921e570cd02e8b1848dbd931176c54
SHA1 hash:	f3165cc11cce507167364908fdf29ba71ac6c4a7
MD5 hash:	1a8e8e51915e4fcad8e7a144607883db
humanhash:	edward-tennis-mockingbird-mike
File name:	SecuriteInfo.com.Win32.PWSX-gen.27453.18564
Download:	download sample
Signature	Formbook Create hunting rule
File size:	801'792 bytes
First seen:	2022-11-07 16:25:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:vtKrz+Z8A/x9FaYZbFaF9YJ1qcJU8uxgu5L2tZ5oCqPWDLDIMTpl:vtKnsNxWYR2D6UB7IisIQpl
Threatray	16'770 similar samples on MalwareBazaar
TLSH	T12605D0F4184032F4E7AECF32D5A92F6496A31D619383FA0F14A0B5B51A337E39625C5B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.27453.18564

Verdict:

Suspicious activity

Analysis date:

2022-11-07 16:27:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0260821d-43c3-4955-b993-bb9d984c8f4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/330061/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.27453.18564.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/636952504d3db48878e0955c/reports/710ca640-820d-425a-8738-1e16675968df/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/13939418-8ea2-4db9-8489-025a9e34bc4c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107675

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-07 13:54:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ck5bk65x4jd64wqmlgt67uy2klcwjaedbri4nkobxad7rrto6viq._file

Verdict:

malicious

Label(s):

formbook

Formbook

17a2844685dd091ac7e843225dc772b1d76e4f9b3594a5aa7448b5fde865192b

Formbook

1a269ea6349fc76e0d8a35b318eef5a3eca9498a419cf405d4cbf8dbd6c49ed7

Formbook

3767d055b8af7151cf6e469755a1fc4bb974411d4b6b0f1a322c9c6cb20e1184

Formbook

5fe79790df9261ca20131903c8aa6ba999f14f06cb9e2a7058433d0ca7b24cee

Formbook

6a04362459c48d0ae5eac0209d8faa0962f96f087c86abc5744f56f6fb7aec97

Formbook

a9c29ccb259ed6f5ff5ee320b6db411965393b1214516e997b9737009e81c535

Formbook

c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8

Formbook

f1be524b814c0f2a41725defe65371c128108456b94a380cebf62234e80fec24

Formbook

fae5a23956082d9c2c8931838c29356b130955c37f3015197194a0aff43f1004

Formbook

+ 16'760 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ss63 rat spyware stealer trojan

Link:

https://tria.ge/reports/221107-txja9afgf4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c8ab3a2d-2496-4cb8-a358-ed0a86565b21

Unpacked files

SH256 hash:

454320b8c2c76a3e4fff8efe84fd4551c8b3797e6f3897d43cbeffb6d4683a7a

MD5 hash:

ffbd872e6a179b906edf4184fdd733f4

SHA1 hash:

4dc4fa6f026d87305af39436b15aec7ccaf025c5

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

Parent samples :

16e4344b72865977c1765ef2c98469f41fc8c0520ea799bc62a5bf044b044697
f02f47777a5186b3e8a7822d1020cf0eaf441be6c1cea2b51f495a3902eb26f8
5e32ab599b2de72c60c1f2dcaa8604b5aa694d98d0dbd52c8607c000178c65ef
cd5cfb5118e9af25a488d5c360c67d934193fcbcd649bf2ff88afe5860da88b3
ffdf5023253f85c17296dbb3a31d959b54b67c6db569b4b0f3a69eeeca76e112
9fdb9a2f37301c92127d7c8efcf941acae143968f98c01704453bf6acda3ac45
97a96aa2cacdb919c81ae3573ded887431a924c2e4ee6137f704cfec0aae9fbb
2829338e694c41ed95440c5c3fc69b038a710afc3e8ad82dce03395acd841c69
12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551
d0ffbae7e9bd73cace59052f816477125a065396d4c1fab29cb1a024df2486e2
f3d0f49a14231c380803723c9afcacc0a42e73d943ebd287f6830c7e46b2688f
c7c1ed4c673f296b1888abfa7f842b18150148771a1ba1196c01194bcc6d5b8e

SH256 hash:

1a846d7965ce233bac64ec1c2355fd9ae242114aa2502bb147fdc318d8c121b0

MD5 hash:

84a3352d3bce0b45613359e59976722a

SHA1 hash:

fabb5e73fa5f4ec4890309bc614c60b34f4ce038

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

SH256 hash:

bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd

MD5 hash:

b52058082749f08bbcb7036b0d4189e8

SHA1 hash:

90365baf6b18ff3139da00cd5caf30660643110e

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

SH256 hash:

4952a3a624981ec08a70c33c277609390a36ae4728068059b79680309b47d0d9

MD5 hash:

13d9c6037facbc118df82771092f4cea

SHA1 hash:

60610b44d5637ee90818f99a6e6bd541181aa049

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

SH256 hash:

92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90

MD5 hash:

046e97119545e5abde2f40b5dc3a0344

SHA1 hash:

3e69b67ddff2554c8cd72e129d4da9c8acd9d331

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

SH256 hash:

4ee6606be7180c3546ebd087f1033e23d7cc13b83176460c74f54d3a9897c600

MD5 hash:

e5fdeda3f5bb98bd75154c0f4d91c71b

SHA1 hash:

ca6f2f431b79b11d12d7668c89b9e25d176ec61a

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

SH256 hash:

12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551

MD5 hash:

1a8e8e51915e4fcad8e7a144607883db

SHA1 hash:

f3165cc11cce507167364908fdf29ba71ac6c4a7

Link:

https://www.unpac.me/results/8bf12dfa-f45d-4f85-b5ed-c61e6f42e83f/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/12ba157bb7e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/12ba157bb7e247ee5a0c59a7efd31a52c56480830c51c6a9c1b807f8c66ef551

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample