MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd
SHA3-384 hash: 857029699b53828bc089eed032bc47ada353c1a81d988b85054ecbe33636faf2e3389538c865d184de5e09edf1974422
SHA1 hash: 646f32536db41119f491a9c6cdc5c8674b52e822
MD5 hash: 72919e26542b13acba9cace7d27cad49
humanhash: double-vermont-blossom-harry
File name:BOMXsVEMOYKKUa.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:690'688 bytes
First seen:2023-12-13 11:25:41 UTC
Last seen:2023-12-13 13:24:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8uua+4WpAEDy7w80KYJyHIai2U2CO9usFEm/vdGbnTte82P0pWtjm6+:SpAEXuHYD2bPEm/+ZaBtj
TLSH T149E4230037396E1FEABB17B9D5B5412803717F6560B3F6DC7DC421EA35A2BA019A01BB
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0c896b2b296e8f0 (19 x AgentTesla, 5 x Formbook, 2 x AsyncRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467140/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.5037.991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
hook keylogger packed
Link:
https://www.filescan.io/uploads/657994d28b5ba47db2e11586/reports/131d095d-4bce-417a-99d1-13f1c28f28fc/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c50ea664-47eb-4ee2-928d-abf8e6648eaa
Result
Threat name:
FormBook, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361309
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 09:01:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cq7qslf5omj6nibrc7ukub3zk2yvuladgcd7bfhawikhlo3nil6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231213-njvjgabhfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
98ce1f7bf6df46d33daf8854fd00c042a88e34d6a9a483da0243f8b044233f76
MD5 hash:
d8c4e81b14b7cc9f18eac8a5465c2df9
SHA1 hash:
ee5415a2d97640dabd02250464534bedcc9b2b77
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
SH256 hash:
226e43994bb440e688ffd85779240773ef75429531f4ca7581e686461577156e
MD5 hash:
050e8ef3fd8362cc1a82149639262e99
SHA1 hash:
d49bdabde22569129766cf88bf6bf9c8bc088d27
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
SH256 hash:
797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329
MD5 hash:
3c927935fbd608e7628cc2c5ad7d52fd
SHA1 hash:
ee0c880c0614ac960fd641f7d479233584aed1d8
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
SH256 hash:
3188950ea08c6c780b8cd8f14cae8b61cca0b0e8674a519511e91e8dd32fbd37
MD5 hash:
4e41b6bfe64881d9dea6c520916fe37d
SHA1 hash:
cfba06073f361e6e1b7927c9991b895c4a90e1d4
Detections:
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
Parent samples :
9c3c75f3073c8a3aa8557fb4f1797ff3dded28fead9787620919526efb2fb060
f0b7b3e5f75561c2bd0c418d49a78c796c832c11cf4aa374963a7ee7c76e5473
a159bd480f79fa31be7221debd26ef015e4ad69efed117d9b2892554c73f57f0
020e75bba53b32452b70c2796aabfd51dbd2c82380bf138158ad590d9db1df72
5aa5ec51141a6523be4a53ad96c02b1371bc7558326ac4e924ca1849db4feeea
f24a13886b4f210691bf73566963618b370ca0781cf65cb212cafb13e12060ff
143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd
0f7b450ae017e6535ed72274165bf586277c977bab747a69e75cd54cf2386615
84027098239c95b6ab961516849dac72bb2fc95fcf30b4172c17df971732edd1
6455ca7100c447b8e7678a01b654925a2f2514a108cdcc2b2dc26b823a59ebb1
00f82f5933b6f1bae3193eeefb7d5b7b6148028d7985a9b489e141f315ecf7c7
SH256 hash:
ceb8a36e527e2f6f11b370dc01b7374321820dba0225a958ede1229894dedfd5
MD5 hash:
dd165934401aa25d98aeeac0fabc748b
SHA1 hash:
1f4790ab308df89a572bc0cfe545c74dc3accf88
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
SH256 hash:
143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd
MD5 hash:
72919e26542b13acba9cace7d27cad49
SHA1 hash:
646f32536db41119f491a9c6cdc5c8674b52e822
Link:
https://www.unpac.me/results/2adf2938-1157-4395-ad44-27301aee9004/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/143f092cbd73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 143f092cbd7313e6a03117e8aa077956b15a2c033087f094e0b21475bb6d42fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467140/

Comments