MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6
SHA3-384 hash:	a0b12c0c60973b71d3d0ba39bfa9ed053cae0526d5ae870847101af9cd754a26761523cfa69470f195df50e53bd5b5f1
SHA1 hash:	ef233fa0918df96bfffc7c48e0834255c1e8798b
MD5 hash:	2850060865cae6fcbb141ac0df454066
humanhash:	oven-quebec-hydrogen-video
File name:	SecuriteInfo.com.Win32.PWSX-gen.19658.17639
Download:	download sample
Signature	Formbook Create hunting rule
File size:	970'240 bytes
First seen:	2023-12-19 11:17:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:SsRc7KGxrgHIBt7S9OsyzJ6oiJumG55yHt7hZ1eUAiMXRWVEgEN8q:xYKGNgHID7BdJpvTqlP/A5RWC8q
TLSH	T1E925173C99BD2227A4B5EAA2DBE48837F120996B311D6D7598E3C3557306E4334C363E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/468478/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.19658.17639.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65817beeb290743934e895bd/reports/efccc245-cec6-4837-8db5-ec79630e4eb4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f5d75b89-be36-4b2d-aaf2-fca6d917e472

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1364473

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-19 08:07:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddummvyegr2iy43pt2s2tiwqjhdxwccr24oh6mmddpaztaotrl3a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231219-nd9q7saghm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

1dbbb86f53c04ad69af0ce101aa4d5e9b0c4374f2bec83ad0370fd92b4e86c8c

MD5 hash:

a1be0f49bac9c500707c0613d06fe961

SHA1 hash:

3b7e22217c784e1c604c4e3a494db409b84f45a3

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

3363dcb868cc0208ec0549958076ad8569a1c19de4409ffbac91d7f92f082359

MD5 hash:

69209005d5bff76f7133bdfa9840aded

SHA1 hash:

5c210164a3cffab96cb8dbcc00acc1f79f48b7dd

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

e7fcdcc6eb9b36794b933d250e38da8c29da27421dbe7debde7f95ec8d6eeef1

MD5 hash:

56779565f69bd1a57fa19885118ca9d7

SHA1 hash:

8878685201aa0a0ef793b4f128de19f7cc414948

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

3e607aa55dd648cd45dcda743f5ab5decf09dfea51b3c9cd6dc3413bd920931b

MD5 hash:

b00d78e1dd434c9f330b8c4d18c82533

SHA1 hash:

fdcc56e780abb58811935700a78e4e8ba0ce32fc

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

56c502d63a4b73686f63a024042127a1df6dc6607237c1b487bd744969a52f13

MD5 hash:

585065b00dadd507f2e653403ea962bf

SHA1 hash:

dc62bbf72ecfbe7df446fa2663e500dedd1e8cec

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

93c5b67485c21718108f39f03c54b0cb07224f65468405ff554abcf39b859ef8

MD5 hash:

272979f447594b02c63951fb52cee926

SHA1 hash:

9a276365b7a59abce7600f7187edb95a4bf67bd1

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

f4ef93079b0a3e5ef0ccb6487257365cd344ce20c9c3b1d03ba2fc556ba267b9

MD5 hash:

4d5940b7782332e79c2db92641a06774

SHA1 hash:

580cb5a697d1c78f8749b94eb42cb68cc71af6e7

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

49f20cfb34f8e54c8c77094bf6f1788e337b3dc6499403a3ec69c57f89b2ebec

MD5 hash:

8a863292386eaf5f5d008bf3df435646

SHA1 hash:

51398f6d75d631148ecfa2ecdec7c9ecd519c5af

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

8f0b6db225ab3d97b5979cffcf3feebd70e7264b6064f591383f0147dcb59741

MD5 hash:

0a4ef3caaa7d6d3b8e60182fd52a6d35

SHA1 hash:

166ac82dce1fe7d8ad5191ea042a11e925f4e44c

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

SH256 hash:

18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6

MD5 hash:

2850060865cae6fcbb141ac0df454066

SHA1 hash:

ef233fa0918df96bfffc7c48e0834255c1e8798b

Link:

https://www.unpac.me/results/a25a8350-48f2-4295-8be1-c57d378d2585/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18e8c6570434748c736f9ea5a9a2d049c77b0851d71c7f31831bc19981d38af6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468478/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample