MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0
SHA3-384 hash:	9874796d5e9084ff020e0d9992687b533e9d8e5ef2a78fee39d4196dc46bad69823196e01c4921daea788c00c314fc29
SHA1 hash:	7bce08cc1c0f3472c6243011f1d80f76a0cbee87
MD5 hash:	c8fa1bb08a183864d32d64e98f491833
humanhash:	winner-lamp-bulldog-cup
File name:	SecuriteInfo.com.W32.AIDetectNet.01.17143.20738
Download:	download sample
Signature	Formbook Create hunting rule
File size:	670'208 bytes
First seen:	2022-05-31 04:08:06 UTC
Last seen:	2022-05-31 04:33:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:XrXpUSlB61512pHSAao3cXOPg/5ZyHzTbmnj2iG8+Rsse3CZuT8KFcgyQ5J2l:7XpUSlB615125J4YgBZyHDmjceSwT8Wy
Threatray	15'918 similar samples on MalwareBazaar
TLSH	T16DE41270662D5793CD7F0FB9C0656490A378921AA203F72DDED069A878C73D2A9077E3
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.17143.20738

Verdict:

Suspicious activity

Analysis date:

2022-05-31 04:09:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1674dfe3-7b27-488e-831c-d075de4c121b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/275578/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.17143.20738.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/629594b96eb3ff326342e651/reports/0c256fd1-8db1-4a39-9033-f19bc75144f4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1dbac962-9bdb-4b43-a22d-082de32148b2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003930

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-31 04:09:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dh22fwl4mk44ngrr5dgq3xoj4ggikikyxqo4actgjowods7hykqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66

Formbook

37ba3f12ba63a18cc331c31a31665813b40ed2825b76b355f56d396da2407648

Formbook

3e20e05dc0f89bd2a37936b5e3a2631af6cdb687218275731b6f7e7f79febc9e

Formbook

4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b

Formbook

4b9c6211bbd01950f10d8a2ea7ac75ef380c1d4f88a1b5a9e55b6fdf09d3f603

Formbook

5d429d5b5040db22296b658ddf87b4ee8a5dd7ba5e780453c2336dd13555e4bf

Formbook

67df49c1f0f94c41c91df4cb71835b1e188d19a19b5eb1346f1e0da4444d13d0

Formbook

b01852366a757d7a668950fe78fe78113c184d24db59aefe7dd52c44eaed2c77

Formbook

c3d22e98a8fffa462b6924bdd9293d8f5fa31e9d95e667adba83e0d404d46ef2

Formbook

+ 15'908 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ttbe loader rat

Link:

https://tria.ge/reports/220531-eqsh1sdgc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0

MD5 hash:

c8fa1bb08a183864d32d64e98f491833

SHA1 hash:

7bce08cc1c0f3472c6243011f1d80f76a0cbee87

Link:

https://www.unpac.me/results/fe9562e5-fa04-4830-880a-e75784bc025f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/19f5a2d97c62/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/19f5a2d97c62b9c69a31e8cd0dddc9e18c852158bc1dc00a664bace1cbe7c2a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample