MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711
SHA3-384 hash: 0dc6daf4a023dd5ff2a2b731042de11d2e3f664b77d08e2ba1d3de19e6140ad3e00aafa245fa0d88a84860f51a70da70
SHA1 hash: 23be471da5a3af35ec028ab9f5351a7c983aedd8
MD5 hash: 5a260cd1c4c74abfffba83be3ac024f6
humanhash: avocado-lemon-utah-ack
File name:Shipment 6345AB Toledo.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:612'864 bytes
First seen:2023-09-29 09:04:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:wO725NgQfjBqCmRAHSrEzA15uctWEk/dnDqQ7MIV:wxfjcqyTHtWEkRqUMI
Threatray 36 similar samples on MalwareBazaar
TLSH T162D423A6399E8B64D98D067E87EE00594370B640D404F368CA8FA6DF0E7D39C6621F77
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b26969e8e8e8f0f0 (23 x AgentTesla, 13 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6516934049c6a4ce497f2e27/reports/068d2e82-c809-4f6d-a470-b6635e0270d9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a03fdf9a-7702-422c-9448-90fdf39396b5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1316319
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316319 Sample: Shipment_6345AB_Toledo.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 92 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected FormBook 2->32 34 3 other signatures 2->34 9 Shipment_6345AB_Toledo.exe 3 2->9         started        process3 signatures4 36 Injects a PE file into a foreign processes 9->36 12 Shipment_6345AB_Toledo.exe 9->12         started        process5 signatures6 38 Maps a DLL or memory area into another process 12->38 40 Queues an APC in another process (thread injection) 12->40 15 KSWFIebakg.exe 12->15 injected process7 process8 17 help.exe 15->17         started        signatures9 26 Maps a DLL or memory area into another process 17->26 20 WerFault.exe 17->20         started        22 explorer.exe 2 1 17->22 injected 24 KSWFIebakg.exe 17->24 injected process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 00:32:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3yfqxom32fhyh5mgn2nnvg3lk6jfisjed3wxeddz6y6love64iq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
32119baabd1fab988ebaf2f5692f46c797902e94b52729c27f30f8e579feb530
Formbook
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
Formbook
582b83da6cb0374b90790106f9e4b8a046e9d0b24cbd725c2be985c8c0a149bf
Formbook
6de402e896d0ecf6b4d55fe0ffc1b978e511a632a842e188200e5cb736893210
Formbook
712f1dd153cfa3cdc0d32d481f58aff6b583bc7a60a94597a8c47ced99360d89
Formbook
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
Formbook
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Formbook
95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
Formbook
96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
Formbook
a81a0d29652f5c3497d905b124fefc89e7149f61c87b2198872c4dbe8f0c0048
Formbook
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230929-k17ctaae45/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
eee9e0c2d7990220644ba50ed56e5deea071d29fec8323a1f0726dc31911c3e0
MD5 hash:
c08134907ee5214acd53c6449482869f
SHA1 hash:
bfbcb9e2e0f9119a05ca266bd90e42ebc91b2c9a
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
SH256 hash:
cfbf4f2e7540bc439e7a8c00f8b581a264488dabb9c0cb79ad519137539fc327
MD5 hash:
2c3b9a4eb1edb26aa0bb2817541c5d92
SHA1 hash:
a68e7e9ed116473bb4a01f7634856d8a7a02508d
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
SH256 hash:
abed99881ce1e05907653d1697ae232575d0cf067fd5cc646e2e5ee9f7337c82
MD5 hash:
491a7170bd8a7ed81d03a64ff2598bdf
SHA1 hash:
8325a5bccba80878a14032c06b78b34db808b910
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
SH256 hash:
27d04de16daefa26170c40aef70254db623efbc18be1b28af143d4deabaa6bec
MD5 hash:
38492b97662930fe33d59de3f41fd78a
SHA1 hash:
6fdb4542eeff9ccfd64f2b6e8f7f0a26ead5962c
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
SH256 hash:
1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711
MD5 hash:
5a260cd1c4c74abfffba83be3ac024f6
SHA1 hash:
23be471da5a3af35ec028ab9f5351a7c983aedd8
Link:
https://www.unpac.me/results/47ba3ba6-5d08-4275-8994-5c68caabc771/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments