MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c
SHA3-384 hash: 05d869a05ceb6281fab23e19fa97242aa65364c43de80bb6773afc90e54f5899bc20d7354e111a7322ff686829e8984a
SHA1 hash: 5cd4986565a8e522148a4cb5eadaa97e0e2f78a3
MD5 hash: 488b4e907b77d7cc1fa203bd8f29b533
humanhash: skylark-avocado-low-zebra
File name:SecuriteInfo.com.Win32.PWSX-gen.31096.20470
Download: download sample
Signature Formbook
Create hunting rule
File size:1'200'128 bytes
First seen:2022-10-13 03:59:43 UTC
Last seen:2022-10-14 11:17:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:FjhtgKpzxUjzYpaqp3WwLndSY6ZWwp2qyYML9+4kW9645BMacon:FjhtgaSXYpFdWwra5K9+4/I43Map
TLSH T18245AC7622994913E01A32B4C847D1F32BF75D626496D2C71AC72FAFBC843B7961324B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319648/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31096.20470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63478d44f2794c622d28ac46/reports/7dbd362e-4506-4a49-a798-b9de7b716cda/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cfe473f-38ca-4d44-9eef-d7a735930ddf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089442
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722039 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 7 SecuriteInfo.com.Win32.PWSX-gen.31096.20470.exe 7 2->7         started        11 BVjwSSoB.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\BVjwSSoB.exe, PE32 7->32 dropped 34 C:\Users\...\BVjwSSoB.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp5E80.tmp, XML 7->36 dropped 38 SecuriteInfo.com.W...31096.20470.exe.log, ASCII 7->38 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 SecuriteInfo.com.Win32.PWSX-gen.31096.20470.exe 7->17         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 19 BVjwSSoB.exe 11->19         started        22 schtasks.exe 1 11->22         started        signatures5 process6 signatures7 24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        48 Modifies the context of a thread in another process (thread injection) 19->48 50 Maps a DLL or memory area into another process 19->50 28 explorer.exe 19->28 injected 30 conhost.exe 22->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 03:07:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkdrd3rtufaxxod5ieu6f6cx56a7jn24scerxyr3yupywzbnigoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:5pdf rat spyware stealer trojan
Link:
https://tria.ge/reports/221013-eknb4saehq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e8a03fd1-d7b3-4a0b-8647-d39d18713449
Unpacked files
SH256 hash:
2723c44f6bae568744c0f6b56b846e70eeb3d5d03b7f436b8c1199b89c12d727
MD5 hash:
174743808ec50429b587bad2e053fb04
SHA1 hash:
ba5c22d5d5a38a16ae8045c0900dfa4f9531d069
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
Parent samples :
1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b
SH256 hash:
0df1880919fffb48777619ab02f4451b3fe1e38239e3732f9fedabea891e72c0
MD5 hash:
620366d2032d5acefdee3d24e7ed8969
SHA1 hash:
7ae905d4f126c54e1c858a23632dd629d59bb525
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
SH256 hash:
51097dae80764310ab7c226e0dd5bde690867c62242d30df390018f6dc9270c7
MD5 hash:
5701530abc0f8930ace8380a5c9feb6d
SHA1 hash:
edcb54717517b9032f7c11de61b9579f8d3cd99c
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
SH256 hash:
3991a2566eb353a902da4dd472d7f627b2625c31cbee59257dbede8692ab20fa
MD5 hash:
61afb8a1018680b55c761d91e8acbed9
SHA1 hash:
3d549bec2abaad9b4a1b9938cb309ce7c6993387
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
SH256 hash:
1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c
MD5 hash:
488b4e907b77d7cc1fa203bd8f29b533
SHA1 hash:
5cd4986565a8e522148a4cb5eadaa97e0e2f78a3
Link:
https://www.unpac.me/results/ec456ccc-f78c-47ca-ad2d-fc8e64227c5d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a8711ee33a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319648/

Comments