MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1
SHA3-384 hash:	dd54d336ee50acce6a2f9287e39e44a302817a6d163ca16cafec2d41a19fca7f25c641ad83d0903bbe5ff1eb8b692d70
SHA1 hash:	5f9fbe3b245b776c2553382c35cd1595dd7180b7
MD5 hash:	50038e172e33e7fdfca6287221ffe1a4
humanhash:	winner-ink-hamper-yankee
File name:	SecuriteInfo.com.W32.FakeDoc.J.gen.Eldorado.17286.24963
Download:	download sample
Signature	Formbook Create hunting rule
File size:	827'904 bytes
First seen:	2024-06-12 17:26:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep	12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcP7ZF968JT4/UXuWJeYAijFd6Ll:hBXu9HGaVHTZq/UdJ9z6Ll
Threatray	42 similar samples on MalwareBazaar
TLSH	T14205128879021C16F8669C36CDF9FAE0181D6F166DD0120BF45DFFE97BB9214A5C288B
TrID	31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6) 30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 12.1% (.EXE) Win64 Executable (generic) (10523/12/4) 7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	74ecc4f0e8e8f0d4 (1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

350

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1.exe

Verdict:

Malicious activity

Analysis date:

2024-06-12 17:30:36 UTC

Tags:

evasion telegram agenttesla stealer exfiltration

Link:

https://app.any.run/tasks/2e63340e-4a37-4983-a56c-339f4d01aa3c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.FakeDoc.J.gen.Eldorado.17286.24963.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6669da5ba2bce47be7d80623win7simulatehigh_evasion

Tags:

Infostealer Network Inject

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Enabling the 'hidden' option for files in the %temp% directory

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

AutoIt lolbin microsoft_visual_cc packed packed shell32 upx

Link:

https://www.filescan.io/uploads/6669da70eae3878d8f394e15/reports/44f473bd-3e41-4460-b6cb-2145991573b2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/18be52f8-fe17-4f83-9ca9-15169ce9f950

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1456152

Signature

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Snort IDS alert for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2024-06-12 17:27:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dbmytsvfmrogs3jnslolxhcabrrhbmwuz4q3q6whdakeuhqeq3qq._file

Verdict:

malicious

Label(s):

agenttesla

Formbook

2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337

Formbook

86b2b298949aa8152e801baa096952105a2147fd5a13308f9f27959ffdc2cc2d

Formbook

930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef

Formbook

b3ca04d731ce63ef0fb3cae7db9ae14b8ff9c0ae842b83ac80eaa8ef459f9672

Formbook

c1d34d27db8d0bb51d5438f37cbcb89ad1944c651bcab3db8c7680afbb597feb

Formbook

dacf136fcb4d21b822f8855c4af3b3a07d97caa68a58a19bd0206233c3a6aa77

Formbook

+ 32 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/240612-v1emxaxaql/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

AutoIT Executable

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

UPX packed file

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot7288956701:AAGI8Yq8sI6l1S7vYfYKq0jwMldTgmIxjiE/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d6e6f013-9c1a-4044-b4be-d5e49967bed1

Unpacked files

SH256 hash:

5ac021a8cd3f871bd9f6c18d18567f913044ee61b1e064f648f9ffe7ae33b603

MD5 hash:

310fb30b12e3b5acaa941b5792e2ec63

SHA1 hash:

5ae9dcd3a0d9a8207574d01b7f8b7d6f14460f1b

Detections:

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

RedLine_Campaign_June2021

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/5262682e-26a7-49ea-a267-e673c73073ba/

SH256 hash:

08391c7ddffcae60956b9126ed3eba15c806558675d50fa3f5737efaae87a74a

MD5 hash:

e019efa138bc4c6d6944ec5fd40c5bd5

SHA1 hash:

47c825ae64cfcc9c465163e0e1beebd741fcf56b

Detections:

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/5262682e-26a7-49ea-a267-e673c73073ba/

SH256 hash:

1df6eec6b6b8ee338e0a703d21f4e782792e6eefd5604e28f3bf9fcc10fa044b

MD5 hash:

bc9dc6ac91d92e99be6f3021a44578a9

SHA1 hash:

2fdf8bb3b4d49783b7418b518d2c7056ff3ec2aa

Detections:

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/5262682e-26a7-49ea-a267-e673c73073ba/

SH256 hash:

c455c82fb461dcfc46384c8359f00f88b8333a022b2b467292f99d9cfd77b58d

MD5 hash:

23b7aa811426b694a8375b364327168c

SHA1 hash:

77abe6331a34d46f1b865019161c9b7fe27f60fa

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/5262682e-26a7-49ea-a267-e673c73073ba/

SH256 hash:

185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1

MD5 hash:

50038e172e33e7fdfca6287221ffe1a4

SHA1 hash:

5f9fbe3b245b776c2553382c35cd1595dd7180b7

Detections:

SUSP_Imphash_Mar23_3

Link:

https://www.unpac.me/results/5262682e-26a7-49ea-a267-e673c73073ba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/185989caa5645c696d2d92dcbb9c400c6270b2d4cf21b87ac718144a1e0486e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetUseConnectionW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample