MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
SHA3-384 hash: 344dd55b810bdf4cbcd6683b56a44d7f1a496d7c61dbf810de1c4f770707a0a80729b912393faa44ebb25a2dc8f3ea22
SHA1 hash: 9d49fb2be56c64dcaf91b245618a1d53e6daae3a
MD5 hash: b423441aebced4835a2a26e1d6bc40b7
humanhash: mobile-bulldog-fillet-asparagus
File name:SecuriteInfo.com.Win32.PWSX-gen.31726.22739
Download: download sample
Signature Formbook
Create hunting rule
File size:830'464 bytes
First seen:2023-01-20 10:34:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:V5Q13ZCjpW9qNb/QTpiUUqXb3XC3qKmOG6pG2nJV4ilzP:V5G3M+yLQd1bImoVz4OP
TLSH T1A6057B517191C2D5ECB54E780638F92427959E5BE32D41AE7EC7343A88F3B8B84783A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.31726.22739
Verdict:
Suspicious activity
Analysis date:
2023-01-20 10:37:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f682cdba-3d48-4167-aa6e-fad278da8639

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/354904/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31726.22739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ca6e5989bd67c10fd8d0fa/reports/50c9f9a0-db4a-4131-8fad-a3d5398f6ac4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a657a34-89fa-4985-a839-096352c9c419
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1155448
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 09:53:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eri42juqn475cgdlnokykv6bqxrvkt3w5qsi3dvjittmptdqiq7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230120-mmnpnaae54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3
MD5 hash:
b23ff9e28cdfc56d60a68f42b346fc05
SHA1 hash:
e4eb037c7732ab9b73d59b66274816ae605dc3ee
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
Parent samples :
9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176
SH256 hash:
0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1
MD5 hash:
dac31c8bc4e4a583f6571778e0cf57e9
SHA1 hash:
1a104ea41ecf0459fb8f5878182b5b1e48c4897d
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
SH256 hash:
1b6b28b2123b675c3fd5649f100cf494f67cba6b17911b66ac8d3fbda18c1d7d
MD5 hash:
a55f804cf3f6048c45194fe37932afe7
SHA1 hash:
f6f58a6f258b8eab57c832163a1576710ab33f5e
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
SH256 hash:
b6f95f2092fffe36bd6d62b83f0fe06e9196af486341bb247f860e765579f42a
MD5 hash:
ddafd722e574ac609641a10d40105e2a
SHA1 hash:
92a4501a2312362c2184a07c716892df9e846439
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
SH256 hash:
ced6a5eb83790563f7b2f4f2185fce4a4a76816136d03cc18c80d55bb874be0b
MD5 hash:
664f252f258c9bd6b8693838ae889246
SHA1 hash:
74845beade758ef599b053142c2e0feae80d49e1
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
SH256 hash:
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
MD5 hash:
b423441aebced4835a2a26e1d6bc40b7
SHA1 hash:
9d49fb2be56c64dcaf91b245618a1d53e6daae3a
Link:
https://www.unpac.me/results/41ad2093-e4ff-4384-a7a7-eb746b585e68/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2451cd26906f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354904/

Comments