MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357
SHA3-384 hash: 8ef1e0087ae250528aac33ed53bb3d9583609873b9ae89703f74f295fa2ec262aeee8c168d7714df60bf12721f04abb8
SHA1 hash: c206a0650d4c6c1ae380d44e6f4982aa6e2e832b
MD5 hash: 69599d9e3f0215c8322482c5787119c4
humanhash: princess-seven-yellow-alpha
File name:69599d9e3f0215c8322482c5787119c4
Download: download sample
Signature Formbook
Create hunting rule
File size:676'864 bytes
First seen:2023-05-24 18:56:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:R2N8jiZ4zypIPsPtPplTY6RhKuknaqJs9gQ9DzkxyJxt7PGmaWhFEMCEX7J6MX9/:R2N8jiZ4zypIPsPJTDELna0O98UftCmu
Threatray 2'956 similar samples on MalwareBazaar
TLSH T1E4E40194207E9B4AD87B63F50040A6BC033FAD6AB533D3075D87B0DA5969B484F52F2B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
cmshnr_private.xls
Verdict:
Malicious activity
Analysis date:
2023-05-24 15:14:39 UTC
Tags:
opendir exploit cve-2017-11882 loader stealer formbook trojan
Link:
https://app.any.run/tasks/262c0b26-be96-4987-9dcc-bd57f9c9fd80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391297/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.36733.27027.31032.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646e5dff5ce396d09213f2e9/reports/a3e22d7c-a584-467c-9ed5-03f8ed3e33f8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/181722fd-1a53-40a3-83c2-277eeb983f2a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1241929
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 17:41:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 35 (62.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4wvjcmkhxndt3dt6hen7fgq77ae2evpkbwk6xurnynorgkeqnlq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
2bfe16100af653d012b5b833cf2ed6431ae1ca9660fab081679f92da34fb5f57
Formbook
3202d0bbb79b0d8c4b261059386a1a2471dd8aac7957889ade0e0f8971791529
Formbook
79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51
Formbook
93d900164f8df22ed262ffba777f1138271b7c5982948c0e8115e59a3dce41ee
Formbook
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
Formbook
abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e
Formbook
b0ebf928b4df7f41c89599e1e1320fb1d44e36e1d5a3055b376c82b912fdf182
Formbook
c918d1ae4c1635db9333c72fa06a6b04afa4a2ab37f494cd24c5e3fbc6963ead
Formbook
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
Formbook
+ 2'946 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230524-xlxlaaef3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
01401f0456787cf8b4aafc3055730b64ba243b95bb408cca74e1ae5c6957c8f0
MD5 hash:
366fe2321aaf44759ce9d12aeeb64274
SHA1 hash:
09c98ee91c6008a54db3248e6fecfcbad536403f
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
Parent samples :
3202d0bbb79b0d8c4b261059386a1a2471dd8aac7957889ade0e0f8971791529
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357
1a392a2f97faa5ba1a5c1802dc5cb1308566590322f42d9369a47bbf519ae030
4c1132e899179269d4277653474d464788d1ec77c004c8658959dc63f955482a
SH256 hash:
fb81cc59ea858962d5f4547ffba452babef64a1a9b984d4f58e1c6e4d68cd1e8
MD5 hash:
45a4152158ab7e74ba6bf43e6df04e48
SHA1 hash:
6b2ade2809cf39b966b5b69b98be413123063e8e
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
SH256 hash:
d7ad9b68338e63f9a800492f1309701e8d823f44090261f2aeafedb1eb0b55f6
MD5 hash:
736113918ccfb7e8a5f31ccd0a344683
SHA1 hash:
f1041fd84acf903e82191b2a787e67ebf7527fb8
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a2217d269d4b3d25be2c3182e6d8d82848a508c05136e1584f51d59670cfce7f
MD5 hash:
423fbd251461b1141268a18b4640c693
SHA1 hash:
970ba85cde0d5c59b26f9d9e73c14c6cc18a5cf5
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
SH256 hash:
172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357
MD5 hash:
69599d9e3f0215c8322482c5787119c4
SHA1 hash:
c206a0650d4c6c1ae380d44e6f4982aa6e2e832b
Link:
https://www.unpac.me/results/ad42c5cf-3b81-4047-94a4-812f654baef9/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/172d54898a3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 172d54898a3dda39ec73f1c8df94d0ffc04d12af506caf5e916e1ae899448357

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/391297/
  
URLhaus
https://urlhaus.abuse.ch/url/2640312/

Comments


Avatar
zbet commented on 2023-05-24 18:56:25 UTC

url : hxxp://103.140.250.22/W90___11/dwm.exe