MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86
SHA3-384 hash:	f12b653a2d02f3cdced7192c1e558b5fe97d47d6672c10d4a5aa4b034191b9a4352b960b85e55946af91bed5797436ee
SHA1 hash:	a5b0334df8d078a2817a7ed685dbc5a83e989bb6
MD5 hash:	7481984fba685e017266b19ac0d8a51c
humanhash:	social-bluebird-south-five
File name:	documents.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'199'104 bytes
First seen:	2022-12-23 08:09:04 UTC
Last seen:	2022-12-28 19:10:28 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:WVje0gQR8bXCWRiEsRrKi0DMy4xjhyTlie3cfBtTkX7Y9xiTLCi900JmH2hpv962:WMIyYfiiw3ign8Qc
Threatray	853 similar samples on MalwareBazaar
TLSH	T12045383439FA501AB173EEAA8BE479DADA6FB7733B03645D109103864723A41DEC153E
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

documents.exe

Verdict:

No threats detected

Analysis date:

2022-12-23 08:12:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/88c582e1-b578-4a22-a77e-d079039b604c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1746.17265.30334.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/63a5625c2bb979c1eee4f8f4/reports/7e30ef1b-bf39-4479-8d71-3b9b438ce4c4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ba42176f-b326-48ba-bda8-6147d0d7f206

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1139922

Signature

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-23 01:48:42 UTC

File Type:

PE+ (.Net Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dvz2iv47qtkz7axemasboxel7mud7srqd5fewpcn4vsjntn35wda._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/221223-j2p99abd2y/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86

MD5 hash:

7481984fba685e017266b19ac0d8a51c

SHA1 hash:

a5b0334df8d078a2817a7ed685dbc5a83e989bb6

Link:

https://www.unpac.me/results/213bfa5c-876c-4d90-977a-3b5ace5451d1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1d73a4579f84d59f82e46024175c8bfb283fca301f4a4b3c4de56496cdbbed86

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample