MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
SHA3-384 hash:	f125366e54d22249c5295d489daff050ab2f14675b4fdba264ad9744caecfb356d0719c56ca95d7e139f9ea5a9c072f1
SHA1 hash:	7103f267ec43336f1c54cf94c30cec3b265b67d3
MD5 hash:	d8ddec12a1fa74ffbf1a7d2a52270000
humanhash:	twenty-lemon-louisiana-red
File name:	Document.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	737'792 bytes
First seen:	2023-05-15 18:24:53 UTC
Last seen:	2023-05-15 18:46:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:cRmDIZiAt9rD0QWdDWJwsenaILotdzmLhd7ubfLUi/oeYvFK:UmD0t9rDjwDdTaIcJKSbDr/oeYvFK
Threatray	2'827 similar samples on MalwareBazaar
TLSH	T12FF4E189123BBDE2D95429B0721074434E3DB25775F8B0FCBD1B7488C9DB9224BE8676
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

295

Origin country :

CH

Vendor Threat Intelligence

ANY.RUN Suspicious

Malware family:

n/a

ID:

1

File name:

Document.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-15 18:27:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ec02c45-39f6-4022-beed-6b8d84c672e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Formbook

Detection:

Formbook

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/390234/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Lazy.341213.6911.30756.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/646278ff18c2b9a49ad26890/reports/540205e9-259a-448d-9a58-53827e5a4288/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72ad46ed-b0e2-4dc5-be81-7e8c1f5f252f

Joe Sandbox FormBook

Result

Threat name:

FormBook

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1234022

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-10 21:23:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

8

AV detection:

23 of 37 (62.16%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=du3curxaalaypynnaiw6ul5jpae2eeojxj3dz7tdmagysp5dvmea._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b

Formbook

114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea

Formbook

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

Formbook

28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4

Formbook

4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769

Formbook

5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15

Formbook

abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e

Formbook

bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

Formbook

d549aca33462425f1f32e75b6635986df724a63b6f738247d4be19de580bc899

Formbook

+ 2'817 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/230515-w2lnaafc6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

UnpacMe win_formbook_w0 win_formbook_auto win_formbook_g0

Unpacked files

SH256 hash:

e031d5f3652259dd052e79eaee198ab7fb0feb522a859771289a39a73a297f06

MD5 hash:

5e5b621044793588fde2b9482b862083

SHA1 hash:

b85e8343fc412a63748589cd544b90ccc841dc92

Detections:

win_formbook_w0

Alert

Create hunting rule

win_formbook_auto

Alert

Create hunting rule

win_formbook_g0

Alert

Create hunting rule

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

Parent samples :

0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
19a7140e84227b4d9af59569af23a0a5a1edd34c45b24691348f227f2c540712
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
8bc2209887fffd6b27980ba8c2c138deb45370c5b0a8434f9542897c6a05c931
ede3876cdaa9f15dc9f49a080713bfc4e254d222d99c2a09b999d62d1d4f8c05
b755e080b9f6705b088275a44a96251bc547ad58b4f63c9988d90e1c97bf283f
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
607dcd836bd33a6d2afe6ef3c632468ef126eb49923409e246ba7ec86311c5a7
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f

SH256 hash:

fc83e07cff47a7ea1058bf4d75f6d98fcdaf457a6f88007dccbbc36796a16847

MD5 hash:

fe559bbf47ec0c554420bba97f79ba0e

SHA1 hash:

c097427b5800a352d105c830e98332fe8925bcdc

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

SH256 hash:

35ef2f05cf0ac728f628614dd1e7aa8b9e479a66564d2eba134ad421ba0aec86

MD5 hash:

5844f0dc544f091a0f04e3c9dabd6200

SHA1 hash:

fa14db3bc44f6fbb68dcfe35c108bdb467141c7a

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

SH256 hash:

a026890e4b6ca8da9101048165c3216c88237176ca7ec46182d20bb44056ad90

MD5 hash:

2ffe1d6b97d5a23dce7cba583fb2c0f1

SHA1 hash:

ce330b372cfe5c97520efc714903151f10886915

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

SH256 hash:

5832109593ca6ce8963535c23b9ef8d29b116968aa1c0a0caa8cabdcd208da5c

MD5 hash:

1202bc7da4cd828b53dba3a8ae0bf586

SHA1 hash:

0f8b9b07e0108675e1ca54a3a433f1a0f693f309

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

SH256 hash:

1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08

MD5 hash:

d8ddec12a1fa74ffbf1a7d2a52270000

SHA1 hash:

7103f267ec43336f1c54cf94c30cec3b265b67d3

Link:

https://www.unpac.me/results/5805b285-0a5d-4ee1-b4f2-af29a84ec6fa/

VMRay XLoader

Malware family:

XLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d362a46e002/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08

(this sample)

  

Dropped by

Formbook

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/390234/