MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed
SHA3-384 hash: 2ef8d7af0e7a66adc64715ed3f1260f2699c974433bfcede7f46bd1419ff7bdb6ed0e373cd35cfb5c4698f8ff9cd9803
SHA1 hash: 984aca597c5be877ba14427157f718ed2525120a
MD5 hash: 584d4257031b7d9baea85909890c9b7b
humanhash: wisconsin-december-whiskey-spring
File name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.9777.20671
Download: download sample
Signature Formbook
Create hunting rule
File size:626'688 bytes
First seen:2022-05-17 13:43:05 UTC
Last seen:2022-05-23 11:56:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:QsIRvNQzVHb0tmN9vSOoif+XhMj1REXs4Apf2V9OCkhMh1sJANHQztXPC:QsIt5YvSOoiGxMxmspAVuhYegatXP
Threatray 15'657 similar samples on MalwareBazaar
TLSH T1FCD41216312E83B7C4BCBBFC74210A4493F9EA1B301AE25C5EDA91D74E66F804685F67
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 65e4d2eaecc4d859 (17 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.9777.20671
Verdict:
Malicious activity
Analysis date:
2022-05-17 23:13:32 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/5ba7ec5d-aa79-4019-9382-ad7cb5ef1908

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271629/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.9777.20671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6283a70d6c85fb24969ab50e/reports/5427d5d7-62c8-4088-aeb5-a8ced09a8a5b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3573f0a-ad89-483f-a4c2-7fdfb7f1c081
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995884
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 628400 Sample: SecuriteInfo.com.Trojan.MSI... Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 7 other signatures 2->25 6 SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.9777.exe 3 2->6         started        process3 file4 17 SecuriteInfo.com.T...SQ.MTB.9777.exe.log, ASCII 6->17 dropped 9 vbc.exe 6->9         started        11 vbc.exe 6->11         started        13 vbc.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 09:46:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=efo3wmguu4ehinwsubm7jtnewdp5aatcd7v2fswnqjuhjpwjdpwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
38dcb9b9943a8e9c79592af3c754aae2feb84c832e7111828224f2bd663f3d82
Formbook
68a837f8646bc09c634d13045d36ee05f43f319e88c2a47295d01c47574accae
Formbook
a9f8ff439d6cf51c60a5f9bba3653ea480fa72249562e11d6bc03bda8e672f5d
Formbook
bcb97b3cbfe72dac8416a224ddb03a17ccba79da52872c6f5fcb13b93b43a247
Formbook
be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
Formbook
ce7d3bdad0d089583e735635f3d475e11dde86d0ad1c76d8735085a9ec031d96
Formbook
e7962cdd23b186bb033234ee3275fef94db2650f2a15fd78b25c8a2662effc80
Formbook
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
Formbook
+ 15'647 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mg11 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220517-q1ssbafcgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
a45ed60f84e924b5eb13dc3f473047dd31dab2c067378386dc78d35fc5f7e9c1
MD5 hash:
3e125fdaf37c1ea6374d92ea1ef63a92
SHA1 hash:
0d6cb771a99fda25559c36be46b1b3151ba15df8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
Parent samples :
215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed
2e306d4e802c3797837c61dd955ac3d42c7648747a1f44fca0381069815e8e2b
SH256 hash:
3df95d5b087d8405ab670e63448787e6d2ba58470956c6772727e903afda1f19
MD5 hash:
61aea98e13edc07637de29727f7fefe4
SHA1 hash:
ce9bf967999403f870f72f91cfa05b5db0e9459f
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
SH256 hash:
97527da0af9e8321eb6aa2c760bc3a6453341b0fef90c44595a02945c2dd3144
MD5 hash:
332f0164e6b19699174c491d839d6ec9
SHA1 hash:
eadeadeaf7bf3978d86d633bd054e4ff317ecc40
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
SH256 hash:
ddaca71991bff702252a5c61a9acf2c28ccc1d46ca9a803c5de4d7086e0b4d5f
MD5 hash:
f52d3be739d2f40e81b1db089b04672e
SHA1 hash:
cf6b2666d1e627779381fbde6aa434196b18f3ca
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
SH256 hash:
8469397ea3534b282d043f23dc5500949247e2b58e9ee720682f8b2b84b74bfb
MD5 hash:
ae48acd6a6daef48ef913da4f412b48b
SHA1 hash:
f527d57b319daaa486816d9d92a7ceb4e752078b
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
SH256 hash:
215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed
MD5 hash:
584d4257031b7d9baea85909890c9b7b
SHA1 hash:
984aca597c5be877ba14427157f718ed2525120a
Link:
https://www.unpac.me/results/f71e5b34-aaad-4c31-9883-0db9a23c25f8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/215dbb30d4a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/215dbb30d4a7087436d2a059f4cda4b0dfd002621feba2cacd826874bec91bed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271629/

Comments