MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
SHA3-384 hash:	5fe713cbbb4c74a126fea6cd9190005ea18fbe7a4ef686b58901363ba105c50d3201d9781e10b0a703a3b9a5d28cb910
SHA1 hash:	ee93ecc9e6d69b71c2c4d6292db8d7e309cb7583
MD5 hash:	342e16919f0cd9425f8808da5346f3f2
humanhash:	sixteen-eighteen-arkansas-blossom
File name:	SecuriteInfo.com.Win32.PWSX-gen.19387.17961
Download:	download sample
Signature	Formbook Create hunting rule
File size:	665'600 bytes
First seen:	2023-07-03 05:28:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:9DLg6uQqJTJCxPr+mb+W3oTHoi663JJjsop3QFy4PFfobgRJ+NA3V:9DLgnzJTJCxPr+mbdwV66rjcFyM5KgRb
Threatray	3'147 similar samples on MalwareBazaar
TLSH	T197E4CE55E1559C46EBA516B8FCEF5814FE60FC8F141AC6FA2D477EA8383031A00F25AB
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.19387.17961

Verdict:

Malicious activity

Analysis date:

2023-07-03 05:31:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/63beaff8-7ac1-4d94-ba5b-c2176f3d3f64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/405673/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19387.17961.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/64a25ca22299d26882644646/reports/38eaff7a-462b-4fd4-87ce-e2e70f23f96e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b2247d0-101c-4df4-85cb-d46441d9cd4e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1265505

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-07-03 05:18:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dfbhxh477632cumngt2fh2rxv36ctcyvpshrljhr3xmmudpqb3na._file

Verdict:

malicious

Label(s):

formbook

Formbook

114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea

Formbook

13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7

Formbook

18beb4a5262e0b0dce0f554a9088b13fd37182637d456eef86da3ce4f71a013a

Formbook

7ff09715ea3fa12705da00d500b72329217b7d82cae0c59aefa0ebbf3724a36d

Formbook

a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc

Formbook

a530b6b2224f5b81914f4e439b135a06e761d6587e1ea76eb069c7c51c3ca50d

Formbook

d13d4b6f1f4dc4f66b7a93d72eba7dd5051164277a40e3776a70298ac7cd54dd

Formbook

f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644

Formbook

fc98651f6e422a0a58955659b338a9f11186b7ec235eee1daf9462fd725faf20

Formbook

+ 3'137 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230703-f6knsagb2v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

62bab32d7b538d8cc349c517df2686e3e7d245d9d3c69f6a0694f528f51c0db3

MD5 hash:

94e2e2b0d7ef39d0ce9296beb009a86d

SHA1 hash:

de83323cf051059348ce1591d45ab6ef8829a0be

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

Parent samples :

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

SH256 hash:

8ffd5e196aeab8c63166a7df6c664d680bb5084725887786641dfee2f3b8e1a8

MD5 hash:

079693d4675ed68b3dcab62298671662

SHA1 hash:

1590e1ddb774bc7e0b6d2b3ff1c0bee2005d1f1a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

cdd19df696f75a828ad2986cf473b62449cb8812d4c73bcb7ce5eba30af96c9a

MD5 hash:

b76af6d18f5358b0420dc758af77c52f

SHA1 hash:

e47db8579d48ef71b0a2e002897b77c3adcabc68

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05

MD5 hash:

9b3a1b5d3ffe9fb9db6c5aaefa1ae076

SHA1 hash:

0da05e4c72430da0d061a02cd6cf50c41e6bd83a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

62bab32d7b538d8cc349c517df2686e3e7d245d9d3c69f6a0694f528f51c0db3

MD5 hash:

94e2e2b0d7ef39d0ce9296beb009a86d

SHA1 hash:

de83323cf051059348ce1591d45ab6ef8829a0be

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

Parent samples :

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

SH256 hash:

8ffd5e196aeab8c63166a7df6c664d680bb5084725887786641dfee2f3b8e1a8

MD5 hash:

079693d4675ed68b3dcab62298671662

SHA1 hash:

1590e1ddb774bc7e0b6d2b3ff1c0bee2005d1f1a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

cdd19df696f75a828ad2986cf473b62449cb8812d4c73bcb7ce5eba30af96c9a

MD5 hash:

b76af6d18f5358b0420dc758af77c52f

SHA1 hash:

e47db8579d48ef71b0a2e002897b77c3adcabc68

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05

MD5 hash:

9b3a1b5d3ffe9fb9db6c5aaefa1ae076

SHA1 hash:

0da05e4c72430da0d061a02cd6cf50c41e6bd83a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

62bab32d7b538d8cc349c517df2686e3e7d245d9d3c69f6a0694f528f51c0db3

MD5 hash:

94e2e2b0d7ef39d0ce9296beb009a86d

SHA1 hash:

de83323cf051059348ce1591d45ab6ef8829a0be

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

Parent samples :

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

SH256 hash:

8ffd5e196aeab8c63166a7df6c664d680bb5084725887786641dfee2f3b8e1a8

MD5 hash:

079693d4675ed68b3dcab62298671662

SHA1 hash:

1590e1ddb774bc7e0b6d2b3ff1c0bee2005d1f1a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

cdd19df696f75a828ad2986cf473b62449cb8812d4c73bcb7ce5eba30af96c9a

MD5 hash:

b76af6d18f5358b0420dc758af77c52f

SHA1 hash:

e47db8579d48ef71b0a2e002897b77c3adcabc68

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

62bab32d7b538d8cc349c517df2686e3e7d245d9d3c69f6a0694f528f51c0db3

MD5 hash:

94e2e2b0d7ef39d0ce9296beb009a86d

SHA1 hash:

de83323cf051059348ce1591d45ab6ef8829a0be

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

Parent samples :

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

SH256 hash:

198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05

MD5 hash:

9b3a1b5d3ffe9fb9db6c5aaefa1ae076

SHA1 hash:

0da05e4c72430da0d061a02cd6cf50c41e6bd83a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

8ffd5e196aeab8c63166a7df6c664d680bb5084725887786641dfee2f3b8e1a8

MD5 hash:

079693d4675ed68b3dcab62298671662

SHA1 hash:

1590e1ddb774bc7e0b6d2b3ff1c0bee2005d1f1a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

cdd19df696f75a828ad2986cf473b62449cb8812d4c73bcb7ce5eba30af96c9a

MD5 hash:

b76af6d18f5358b0420dc758af77c52f

SHA1 hash:

e47db8579d48ef71b0a2e002897b77c3adcabc68

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05

MD5 hash:

9b3a1b5d3ffe9fb9db6c5aaefa1ae076

SHA1 hash:

0da05e4c72430da0d061a02cd6cf50c41e6bd83a

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

SH256 hash:

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda

MD5 hash:

342e16919f0cd9425f8808da5346f3f2

SHA1 hash:

ee93ecc9e6d69b71c2c4d6292db8d7e309cb7583

Link:

https://www.unpac.me/results/6a6d716c-9ba9-4f27-a3e6-f4ed24b6b398/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/19427b9f9fff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/405673/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample