MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
SHA3-384 hash: ccff5b9835ec56e59ddf35d62440a717f4533d8f8e6ac17feac1281972b970f55c78dbb871efb1239ef14d8f7a592e59
SHA1 hash: fda99561969f8b08b165bea6c205a3a2b87f7086
MD5 hash: cb75f58a8d5e9ab38bf5e6afdb09d7c8
humanhash: bravo-victor-uniform-mike
File name:Ooseha.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'479'680 bytes
First seen:2023-10-10 14:03:01 UTC
Last seen:2023-10-10 14:34:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:dTjqldLq9rQBg2PJjyxS345Qlfcm+1zaEKH3iaOUshyHRl:d4dLq9rQPdCaOUshyHn
Threatray 15 similar samples on MalwareBazaar
TLSH T13F659303BA579DA2C5481F3EC6974C2403B5D5816323F73A798A236A58437BB7A4DE0F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d0f4ecceec989280 (3 x GuLoader, 1 x AgentTesla, 1 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
stuff.xls
Verdict:
Malicious activity
Analysis date:
2023-10-10 07:45:45 UTC
Tags:
opendir exploit cve-2017-11882 loader formbook xloader stealer spyware
Link:
https://app.any.run/tasks/29182af6-289c-4b5d-aea3-58a0318a4125

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.26678.32572.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed
Link:
https://www.filescan.io/uploads/652559974d45a517a345602a/reports/bbef7c0d-6b18-422c-8132-8c3b7cc1066f/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/467a58dd-b025-4b49-b58d-0610ac098411
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322994
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322994 Sample: Ooseha.exe Startdate: 10/10/2023 Architecture: WINDOWS Score: 100 30 xxkxcfkujyeft.xyz 2->30 32 www.xxkxcfkujyeft.xyz 2->32 34 13 other IPs or domains 2->34 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 7 other signatures 2->50 10 Ooseha.exe 15 3 2->10         started        signatures3 process4 dnsIp5 42 23.95.106.3, 49744, 49745, 80 AS-COLOCROSSINGUS United States 10->42 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->62 64 Injects a PE file into a foreign processes 10->64 14 Ooseha.exe 10->14         started        signatures6 process7 signatures8 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 MXBMsOHBbxeSEVy.exe 14->17 injected process9 process10 19 cscript.exe 13 17->19         started        signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Writes to foreign memory regions 19->56 58 3 other signatures 19->58 22 explorer.exe 4 1 19->22 injected 26 MXBMsOHBbxeSEVy.exe 19->26 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 www.frefire.top 67.223.117.37, 49774, 49775, 49776 VIMRO-AS15189US United States 22->36 38 www.flyingfoxnb.com 216.40.34.41, 49778, 49779, 49780 TUCOWSCA Canada 22->38 40 8 other IPs or domains 22->40 60 System process connects to network (likely due to code injection or exploit) 22->60 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0/
Threat name:
ByteCode-MSIL.Trojan.Msilheracles
Create hunting rule
Status:
Suspicious
First seen:
2023-10-10 10:43:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhswsk2bme6lq6ip2xztqhulcdapxngyqxmcns23p5yhkra5ikya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36a859a1fcd2f731adf2bcae4c59be9292f442313a22bdcc4b6275ea08086bd0
Formbook
54a730e5183a57a65dc6fa64170a3d75fa870677fb54d563b3b867a2d6208548
Formbook
90bb8de06b3450c6b63aa813597ed02a9fec7a1c2040a3271a0f5a7cdc145e66
Formbook
92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea
Formbook
9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d
Formbook
bdf855ab17ba3f41611671ada67ce6972d8521d04a7c339b2f5dfdcf8a5146d2
Formbook
be8ccfb19dab5c8d7b4273dc77b34c7ca0afea516e6bf85f607904345a3ad54f
Formbook
e3918d1a379ce63babeab599ef8897ce97001017680702dfc8b5ca8ff1808b54
Formbook
f40e1c8b377326be3e33ef49ddfb71fabf7af2f9a337a3c74784fc7f0356edcc
Formbook
f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d
Formbook
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231010-rcnzwsdh8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Downloads MZ/PE file
Unpacked files
SH256 hash:
19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
MD5 hash:
cb75f58a8d5e9ab38bf5e6afdb09d7c8
SHA1 hash:
fda99561969f8b08b165bea6c205a3a2b87f7086
Link:
https://www.unpac.me/results/cb6185f9-2516-4398-b7d2-d6a42316968d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19e5692b4161/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2719190/
  
Delivery method
Distributed via web download

Comments