MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77
SHA3-384 hash:	0fc246e83d4fa6b7038ba9d789619f83fab36ed85c2790d38d5e57bc98af97adb6e443655a78223e4cfa1f15b6db7f4f
SHA1 hash:	c89a55f6a9f898290e81c5b91a48616eab801dc7
MD5 hash:	21aa7fa7eca0a285e99093c03fa50981
humanhash:	oscar-wolfram-music-cup
File name:	SecuriteInfo.com.Trojan.PackedNET.2698.18590.6852
Download:	download sample
Signature	Formbook Create hunting rule
File size:	664'072 bytes
First seen:	2024-02-22 12:41:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Vws/RY5Ujd53LlvPsmu3eesjKxy01pGEe9V/ia6J2H4xlS2hoNF2wyskR:pgKarfMCy01pG9i3hlhhoNS
Threatray	901 similar samples on MalwareBazaar
TLSH	T1DBE4237137989B71E66D1FF23529C512EBB1A02A7D32E78C2ED8A0C711C2BE54714E0B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477414/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2698.18590.6852.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade overlay packed

Link:

https://www.filescan.io/uploads/65d7411cb7fbcf60a476a294/reports/acb06084-1a3e-4ef0-adfe-db3b38939bee/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6099fee-ba65-4c73-bc68-48ffecf4a070

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1396936

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2024-02-22 10:29:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c47cx7kh76re3zp37zpcspk5bz3npprpnfyj6ieyiiwsjuscdj3q._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f71cd633e4008724884843131ed3d03c8d6613882f81a8afc615ad30f841dfe

Formbook

4a802bd99bb9503b36b5bca07fdf9482e5ef52d10cfc136dbbc44ae55a79c187

Formbook

78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa

Formbook

7f2b6abae34c616082bd23cc868fb85c63ac3b2db5ee103886c1400b3d43f7b4

Formbook

+ 891 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cz30 rat spyware stealer trojan

Link:

https://tria.ge/reports/240222-pxbtyshf64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

fea6d260f190f9c12fe3e5a7b44fa44eb962d64c827cac3c43ccbff0d6f7ef29

MD5 hash:

12b26db7b06bf7bf6dc2b943eccac096

SHA1 hash:

49a957e558b552805e69cfd3d1bff9c986ef7348

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

Parent samples :

78fa533a638b518f838be240f431580d19df296894c35a0cfb3f652312d7d2aa
3f71cd633e4008724884843131ed3d03c8d6613882f81a8afc615ad30f841dfe
30cf6019932ac33f1a53c417f1d562dd0ee0ef1588500962c6edafec3a340a32
4a802bd99bb9503b36b5bca07fdf9482e5ef52d10cfc136dbbc44ae55a79c187
173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77
d3a9f4917640c82521a6d6de9e220ed18844cc92e7129d6a984078eee2a5ab3e
2aae1c0d24cf1e75f9e392bc8df159de3cc10482ec6a692e45bfab89deade435
1a1dc827d8168f9a3fe62de12e842260442bc6d9e79d6f5cfdd83d4392410fe6
c54ce80cb03b598334ac7e4dc5203cc33fe92f282245c6780d852ddebf77a3c5

SH256 hash:

f65ce16ee371858f7f379b2b570014c2583792d768e9f501a1aedf258cb1ea78

MD5 hash:

c71b1896d6c2373f06eaaed49bb61860

SHA1 hash:

fb5daf2dfdc97a1cdc0f2bedb2249ce3fb53ea95

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

SH256 hash:

cbf850de6b8cc91ee4e74d4dbdd766625b16d879aea24b652dbbe2c6515e3f68

MD5 hash:

7c3050fa273a71f8971ede53989c6c94

SHA1 hash:

ae55b59f5157b8a9b1e26c79ace60c93e468926f

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

SH256 hash:

d70e4033db330c128a0fed627f2bb0faee896f86112e6f4170adefc9a580dff1

MD5 hash:

ec2a8446d2bb3f4a4bd67c0fab01fd3d

SHA1 hash:

72adabdb9c297f0cad6708f40b90f90c894e387c

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

SH256 hash:

ec592062c41d26d7046ab135fbabaf80e69900ba940ca654261cda17109f8769

MD5 hash:

09f7fb78314d30bf7c69d72caa9da978

SHA1 hash:

5536e0f86fe6e36f11e5ba03a8f559675dd82f30

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

SH256 hash:

173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77

MD5 hash:

21aa7fa7eca0a285e99093c03fa50981

SHA1 hash:

c89a55f6a9f898290e81c5b91a48616eab801dc7

Detections:

INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438

Link:

https://www.unpac.me/results/10b3a0fd-99ab-4223-99b1-d286c62df21d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/173e2bfd47ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/173e2bfd47ffa24de5fbfe5e293d5d0e76d7be2f69709f2098422d24d2421a77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/477414/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample