MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
SHA3-384 hash: aa7048abd9b1974677e815653fcb8d58268e1d9b156e6e0fc4f196ebf7f6b0d34d9166cdc2dc84f40d830c09cf054774
SHA1 hash: b0ce6d58037a4f05cb31eeca7db4ad2c347bc358
MD5 hash: 5bc818a30e4d9d8a6bb828767ca1bf2a
humanhash: rugby-earth-papa-emma
File name:20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
Download: download sample
Signature Formbook
Create hunting rule
File size:766'976 bytes
First seen:2025-01-10 14:07:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6EUHsWksNFwTFMKh5EOU30lLG6wVxm0f8dIqCSzy+MbM+jikHUUkLItauQmE:YsWfY+sy30lLG5xm+87CSzEE+PtaoE
TLSH T103F4AE1476948F63CA7587F53872E0B413FC1EAEA01AE2555DC17EEB79A2F048960F83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2024-10-09 08:31:37 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/1c735ae9-9658-436b-9939-4a386da9abc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-10025638-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678129db2c8240e189bb8181
Tags:
virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nanocore packed packed packer_detected
Link:
https://www.filescan.io/uploads/678129d0860a7956a033c396/reports/d019472d-f404-4c5f-a009-d567f79dd730/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac1471e6-5c61-4f2c-bd7d-08ddd70304f4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1587624
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587624 Sample: TU0kiz3mxz.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 37 www.cleans.xyz 2->37 39 www.yeloma-treatment-82106.bond 2->39 41 10 other IPs or domains 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 61 9 other signatures 2->61 11 TU0kiz3mxz.exe 3 2->11         started        15 explorer.exe 141 2->15         started        signatures3 59 Performs DNS queries to domains with low reputation 37->59 process4 file5 35 C:\Users\user\AppData\...\TU0kiz3mxz.exe.log, ASCII 11->35 dropped 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Switches to a custom stack to bypass stack traces 11->75 17 TU0kiz3mxz.exe 11->17         started        20 TU0kiz3mxz.exe 11->20         started        77 Query firmware table information (likely to detect VMs) 15->77 signatures6 process7 signatures8 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 2 other signatures 17->51 22 explorer.exe 26 1 17->22 injected process9 dnsIp10 43 www.cleans.xyz 13.248.169.48, 49868, 80 AMAZON-02US United States 22->43 63 System process connects to network (likely due to code injection or exploit) 22->63 26 explorer.exe 22->26         started        29 WerFault.exe 21 22->29         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 26->65 67 Maps a DLL or memory area into another process 26->67 69 Tries to detect virtualization through RDTSC time measurements 26->69 71 Switches to a custom stack to bypass stack traces 26->71 31 cmd.exe 1 26->31         started        process14 process15 33 conhost.exe 31->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-10-09 07:01:56 UTC
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ed67p67fopmsgmee6lztqn4ycukz5hafpjnrdcpyab6tztyoiica._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m25s discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250110-rfkrmsylbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
Win.Dropper.Nanocore-10025638-0
YARA:
n/a
Link:
https://app.threat.zone/submission/bb18e7db-1903-4e82-b8ef-9052c383999a
Unpacked files
SH256 hash:
08d3142c4cfa04b1174933cb87f1efe3a38d0d25b275d1560d4c147183acf5a4
MD5 hash:
c124fec49bf7c353d5dfa5bbeba3d0f9
SHA1 hash:
55e9746739114ffd1f4ed4bfa759210f6c74284d
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/19d8ac11-a299-4e97-851a-8c0478d18708/
Parent samples :
7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
fea39de44dd9f6382637a9a218d2d5002627ce79a37f2dfe0d6bacb51a2de873
545f70314c72e3b34893811f991d96aa1cee2049f346419264e10f0ae44400bb
f86f20a799e10fb4906d426906e30734636a4c2743b8dd1b781adb307f4d5576
2d1500188097d6bc8f6bcd1690db485ea07e82470b2a631246a4ff5c4b64fa42
067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
SH256 hash:
ad969ea3c2c1d12208a75483aae11003b1ef2ca3622f2d37c547c4525c458468
MD5 hash:
5ae82d358776bf1398df27b8f1aff855
SHA1 hash:
a3d3a8c58f913988575e2dd2902abca1c16101b5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/19d8ac11-a299-4e97-851a-8c0478d18708/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/19d8ac11-a299-4e97-851a-8c0478d18708/
SH256 hash:
20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
MD5 hash:
5bc818a30e4d9d8a6bb828767ca1bf2a
SHA1 hash:
b0ce6d58037a4f05cb31eeca7db4ad2c347bc358
Link:
https://www.unpac.me/results/19d8ac11-a299-4e97-851a-8c0478d18708/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments