MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1
SHA3-384 hash:	0d5695df494a8d4b0f40034f2f271fae4cb1add68bb26612b17c67bf2726e0cf2dc3f1f12b7c50728b694311ecc760be
SHA1 hash:	2946ad61e976dd27cbd5a45e8972330991b50708
MD5 hash:	4bfba6e5ed9cd96a55ff2bf5e9574aa4
humanhash:	mississippi-lactose-asparagus-mississippi
File name:	SecuriteInfo.com.Win32.PWSX-gen.73.3982
Download:	download sample
Signature	Formbook Create hunting rule
File size:	227'840 bytes
First seen:	2023-12-12 10:18:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:GABZ6iooeCnsxcsPitFMvRr87mcZ9z6zDOz3kdWNV297WTZqHGqpuF/GzHJhaukP:GmsuXtFMvRr8a+9zqDOzY41h3RBi/6
Threatray	3'154 similar samples on MalwareBazaar
TLSH	T1D224C713FAB689B2D284277AE9A7080403F5F24E638BDB0D7A9F23691843776DF01557
TrID	59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.6% (.SCR) Windows screen saver (13097/50/3) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/466366/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.73.3982.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade

Link:

https://www.filescan.io/uploads/657833a0eba108031489f304/reports/da585f62-2154-4bae-bdff-22ba50723d00/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d9d7a87e-3162-4678-9abb-1baf96dbad7e

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1359976

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-12 04:14:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 36 (36.11%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c66zqbyqlh2qj5kphjodlcw6zgj3yeo2f5rr5po4vu4gx6ad6wqq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4e888a7a812be647c1db3c45b41997976b81fcac54dbb3c2c53087518c036287

Formbook

62f5f91f3533cffc8b6213b9cffeb8315f09d2219717d9477b08f470f312bc29

Formbook

6a14e79be0398899cfc53dc234f9e51f13705afe8b2cf15c404923bb6706ea09

Formbook

78854920bdb00256902029bebce69365c42a97b0431ff35c48f6faf5951f24e3

Formbook

982a9a52e532bbfe52941c4ab95c2899c1af75e9a3eee2b1977e3f49e8a3e71e

Formbook

a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8

Formbook

bea05524bed97521b9125340ed086207cd5b15e3f5d44d704f592ab3ec86e90f

Formbook

c1aa65f7c2cc6beb7052c8ada46a3139fc01da66890f4153a7c5761292b71d61

Formbook

+ 3'144 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231212-mchqnabcan/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1

MD5 hash:

4bfba6e5ed9cd96a55ff2bf5e9574aa4

SHA1 hash:

2946ad61e976dd27cbd5a45e8972330991b50708

Link:

https://www.unpac.me/results/86d5d35f-21a8-4b5c-a780-503d719141c4/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17bd98071059/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17bd98071059f504f54f3a5c358adec993bc11da2f631ebddcad386bf803f5a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/466366/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample