MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104
SHA3-384 hash: 7075154bd235ea80cef2534e3ab873d9ac75fe27aae568b54e3ff3d211881b5036ac654892a02047432084be4c686c10
SHA1 hash: 025043c6ac4a386b70256d3a302607e68c373428
MD5 hash: ca74c00cfcde35e47695f8d07fe03945
humanhash: lake-colorado-victor-artist
File name:-043789-098765.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:767'288 bytes
First seen:2022-10-14 08:21:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:XbE/HUH+58yUPAQVadXOuWQlMtx3FxujtCt0674BjfhGTKk9CmpesC9dr50:XbL+9UPABdn03Istd7GGOkTph86
Threatray 2'965 similar samples on MalwareBazaar
TLSH T12FF459D0F541C45ADF821F7D8826CD32A2E66C278AB0798E62CD7E5B77B73022936417
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0f0f1f1f1f2f018 (12 x GuLoader, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter 0xToxin
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320303/
Detection(s):
SecuriteInfo.com.Variant.Lazy.254423.17961.21453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43092/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63491c2a33e66132ed030da5/reports/7fea2a64-77d6-45b6-aa8a-3c7f9456f4a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a09a0dd1-287a-4be4-8204-065dad6fe25f
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1090595
Signature
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723209 Sample: -043789-098765.exe Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 3 other signatures 2->67 7 -043789-098765.exe 18 2->7         started        10 hmlmxhsyib.exe 2 2->10         started        13 hmlmxhsyib.exe 2 2->13         started        process3 file4 39 C:\Users\user\AppData\Local\Temp\swwrt.exe, PE32 7->39 dropped 15 swwrt.exe 1 5 7->15         started        41 C:\Users\user\AppData\Local\Temp\1241.tmp, PE32 10->41 dropped 69 Multi AV Scanner detection for dropped file 10->69 71 Found hidden mapped module (file has been removed from disk) 10->71 73 Maps a DLL or memory area into another process 10->73 75 Writes or reads registry keys via WMI 10->75 19 hmlmxhsyib.exe 1 10->19         started        21 WerFault.exe 10 10->21         started        23 conhost.exe 10->23         started        43 C:\Users\user\AppData\Local\Temp\2636.tmp, PE32 13->43 dropped 25 WerFault.exe 10 13->25         started        27 hmlmxhsyib.exe 13->27         started        29 conhost.exe 13->29         started        signatures5 process6 file7 45 C:\Users\user\AppData\...\hmlmxhsyib.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\6112.tmp, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\Temp\5CEB.tmp, PE32 15->49 dropped 51 Multi AV Scanner detection for dropped file 15->51 53 Found hidden mapped module (file has been removed from disk) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Writes or reads registry keys via WMI 15->57 31 WerFault.exe 23 9 15->31         started        33 swwrt.exe 2 15->33         started        35 conhost.exe 15->35         started        37 swwrt.exe 15->37         started        59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 06:39:19 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dj2vmla7gy3h7hcygx6mcpx5evnnezq7bhmazqo7vm5j7oteaeca._file
Verdict:
malicious
Similar samples:
2506f6b3fd9f7289c9cf4587b682c3f49c6365be7c8fc56559337e015cb7bca6
Formbook
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
Formbook
74bd97b0541929ff9ea8715d55fc375a91376bc9868ac1b551acdfa871e0e765
Formbook
796b93e1306888ffa8b48c29ff68dee8f6bb7d1fb0b96beb0ba3fd3b3d0f801d
Formbook
8f458a7e77b48b60467dc6338ea5854db2afa53754fb2098edd8caf415ca6e64
Formbook
a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
Formbook
c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589
Formbook
d476dd03b89f907816cb87f2182926791494de65269e1b82356c61a7350e1fad
Formbook
+ 2'955 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221014-j9jsfafbhk/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/17dd808e-a195-4db4-856e-8c2453304ba9
Unpacked files
SH256 hash:
02d9cdd5836455056bbf129de16168ea2245f0cbed926d0786251d08de3699c1
MD5 hash:
5f8dadbbef4898c58f6f9b986020ad7f
SHA1 hash:
c8fda3962cda7a3ed1ee5dba09986b1134b9a5af
Link:
https://www.unpac.me/results/9756d9ab-f87a-4538-a4d6-a20ddf4fad67/
SH256 hash:
4ae02902dc6f3ea9a2801aebdc9099e4766c4190269cb9d5c8ec872f2c2229f2
MD5 hash:
038fe0881ec1839ad146fe976dddc6dc
SHA1 hash:
8565f4e3539abf37b626e5a70e93251b51486368
Link:
https://www.unpac.me/results/9756d9ab-f87a-4538-a4d6-a20ddf4fad67/
SH256 hash:
d5864da0f90081923286cabd8512bc49e73f0074808cc2efff1d2df9d0261b3a
MD5 hash:
22f565d3abf33d622132ca0774d96417
SHA1 hash:
205e75512bd7c679ccd2238da5a3c8c8155e7191
Link:
https://www.unpac.me/results/9756d9ab-f87a-4538-a4d6-a20ddf4fad67/
SH256 hash:
1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104
MD5 hash:
ca74c00cfcde35e47695f8d07fe03945
SHA1 hash:
025043c6ac4a386b70256d3a302607e68c373428
Link:
https://www.unpac.me/results/9756d9ab-f87a-4538-a4d6-a20ddf4fad67/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1a75562c1f36367f9c5835fcc13efd255ad2661f09d80cc1dfab3a9fba640104

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/320303/

Comments