MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce
SHA3-384 hash: 4488620c5a92f04652fc77cd1ccaa7c801b872b0d0a563ad80e316d6000c6e1dad6cba9e4b396aa776e9bbc7979376bd
SHA1 hash: 3fef59687cf59a4a4195f5b55b04f3d299f9deb1
MD5 hash: 54c5a9fba620aab144c358a95372aaaa
humanhash: maine-georgia-nine-vermont
File name:PO0119-1620 LQSB 0320_COOcertifiedcopy _ pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:744'960 bytes
First seen:2020-11-17 14:55:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:L0XL2mYSmxXnb1mvOXyzF8MK/asForgkeUZtnV662CLR9NK3y4C:mAxfCzF5vsTUZtnV662cR23y
TLSH BFF4E03A22389F25F07D8BB7A480990CB3F9DD028363D9367CE0F1E91AA1FA55531557
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Porcupine.MSIL.Kryptik.YQQ.97394.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 07:02:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ei2ytjn7hicdxdlam5zpczyrfstn3uxeiw3tuhx4nx5skmd5edha._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201117-k2c32hkdwx/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.hz007.net/sppe/
Unpacked files
SH256 hash:
223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce
MD5 hash:
54c5a9fba620aab144c358a95372aaaa
SHA1 hash:
3fef59687cf59a4a4195f5b55b04f3d299f9deb1
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
SH256 hash:
d9a34746661a168b3de66ed76d50cfeaa2b8848064dae7be996773e391b86286
MD5 hash:
450651d812f0f7e72c997ba87e9346c9
SHA1 hash:
4e33c27feef8ae2e57fd07b5c8f7a1d1bba0dd06
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
SH256 hash:
465e935c6829ca9bfde6dec1cb74fec689848b68059a6fc8d99b67ce4f54c587
MD5 hash:
6fd267ee1075c43b2c1ff0d700b5d420
SHA1 hash:
de9fc2cf171627c61ef4cd18d61b68c11ed78db9
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
SH256 hash:
67d09eb36af07e34d3d93ebd9242e908ff99c7c8cb74aa98fa5cce8022836c5f
MD5 hash:
79083639792a6a1b485289b6d4f0206c
SHA1 hash:
cd12631c9871afc494bc0980f3df9cce424a1d1f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d457126-3c85-4ae6-800b-03c5f7493ae4/
Parent samples :
223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce
b480eb7460b75d40b103d18ad084d425deb51890f5afc96354a44445ace090aa
2d7c03aa083b443c2cb1f0d296d9fc1afae5b9d1894bf4d1ba98b28568cd6ab3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/223589a5bf3a043b8d606772f167112ca6ddd2e445b73a1efc6dfb25307d20ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments