MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628
SHA3-384 hash: cd72e1285ad01d8f75346cb251bdc09cbf9e997bf58dcb1899ec16e33b810611933abaeff7dd48b76c47c73d9ff893b7
SHA1 hash: e3b1b5ff8925ceddf82ed803d88dd22534f06796
MD5 hash: 74aae1b50286c9ab28374a79327ed371
humanhash: yellow-charlie-juliet-nitrogen
File name:x5SCX6JcAx3AM1x.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'022'976 bytes
First seen:2024-03-22 07:21:25 UTC
Last seen:2024-03-22 09:25:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Q0KoFwmxYJHesNqj4URLuxDsw5UD1Q9kTnC5XWkPNZ2+3OthOcsuB8hV7gYza:vKoZSMsN6RLswhYkm5D+2UHsMEk
Threatray 90 similar samples on MalwareBazaar
TLSH T114257DD1B1A08DD6E86B0AF1AD3A943015E37E9D54A4C10C5A99BB5B36F3342209FF1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-22 07:44:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2daed59c-5e49-40fa-ba16-709455c3cda0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fd31a0c1137bbf14a0fb96/reports/f595a199-0982-4f8e-b049-98d98c49c312/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Agent
Link:
https://www.hybrid-analysis.com/sample/25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e4ef737-6f9d-4870-a97c-0021a8510e94
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413881
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1413881 Sample: x5SCX6JcAx3AM1x.exe Startdate: 22/03/2024 Architecture: WINDOWS Score: 100 28 www.wikis-memories.net 2->28 30 www.vw-fs.com 2->30 32 10 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 10 x5SCX6JcAx3AM1x.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 x5SCX6JcAx3AM1x.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 BUKbptIJcYplMRHKyPPMWsGS.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 compact.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Writes to foreign memory regions 19->54 56 3 other signatures 19->56 22 BUKbptIJcYplMRHKyPPMWsGS.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.sparkwave.top 67.223.117.189, 49746, 49747, 49748 VIMRO-AS15189US United States 22->34 36 www.preznyweden.sbs 109.123.121.243, 49764, 49765, 49766 UK2NET-ASGB United Kingdom 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-03-21 07:25:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exo24lnpb4yrpt7ncdndir6snrjjdizewrctj3ljfkdtsnf2yyua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27aca3b944c0bbd1b6d020de7a9ef916ba170e017ba63304adfef012822cf20f
Formbook
4c60c35f29e69092f5e26e18d43f332f00f33be5006dfb0f9e8cc7327ec6db92
Formbook
54a4891d6753b4acaa07bb6c01aebcb44a0140ffc05ccdc53785a74365969585
Formbook
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
Formbook
70f27cc87397701a73835625b0ee8caf3ef97b506554f2a7f65c2c08afd264f7
Formbook
ad048fa92eef59c07432e25c1afa2af4853be0a301e3ea64910352373fdea51c
Formbook
cb348e8dbd6c518a9ad671a9fb235cea3eeba8b7036fc5498f6b118d4bc3060b
Formbook
d48e76a16a20d4af37091f9dea89ce3fa2341e273a3898ac1b8b398c2a5793d5
Formbook
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240322-h68rqaca2x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5afe0bc3e464973c9a08020352a1c7ba71e991c4092322ac8a86910cbd719062
MD5 hash:
8b5ae32ac8482c1e6930bfb64ce734ae
SHA1 hash:
5bcbf2cde91f4d27ec4fdc8e7ae5af2a758a923b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
e10121aee2b732859c265618963a590078c63246a1361a90149b3c11ee114ae3
MD5 hash:
996aa60d0123423aca3dd3882627fb72
SHA1 hash:
c0bbaceb8910b7e69887c964fa1a55a2b81bed40
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
8a42144bfaed7278d478bb226c64cfad8abd909f2f4ce18ed17018eebbd590dd
MD5 hash:
10f2dcb1aa3ec0d37027968d347b257a
SHA1 hash:
b2d1181f17169f535a8bfa614c21aab23260155b
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
f540fbc012c51d1f17c1bfbb00800d7a8543b4bc7b59da2c0cccfe5806381e41
MD5 hash:
9f19ddde4872bb90a092f7189e1c750b
SHA1 hash:
7adc9014705999ead72c9f33c676ec0011b73acb
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
14641f03051d346aa3a24be14851261baa2ee6b1cff524ddca433fcc71d9542d
MD5 hash:
6661bfd44985279631496543484323b1
SHA1 hash:
5b3452b4c01b676f5ab2d4586819bd687456a34e
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
bf657d10bc001003ad2f136e49bdcc2c0005c96a8f96202cb15e22434616ae4c
MD5 hash:
cd8a5448d5b3d3322d329cdbb5457e4e
SHA1 hash:
faeb52c42dbfc0bb1f6df65dd25182b7b4e9a35a
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
e48aff5e4d912669f25944f8ac93cdc4f86875fd46546a6a93f67edc62e2477d
MD5 hash:
c99e464b7360325c3228f9a654c28f78
SHA1 hash:
d79fc50549a4059b31e00ecdf884cdec33d23554
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
d3d6c0f3d6b97b80ef5c1409b5ee3eacd496f7b189808dfb4ce4caaaa8f7e66f
MD5 hash:
0fee9b5a8793d3d7e77e05d0dc418358
SHA1 hash:
d11193adba8b799eb8b65f94bbe2081767d1ca19
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
4554b86a7aa8294f07561726c5b5ad72e46d3667617337443a6ef7571eb3d2ba
MD5 hash:
11b9804b9e23d8d705e182b0bad8689d
SHA1 hash:
a53c51378dfd4e8756bf7d013095083229eea2bf
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
eb73c8a2e7c5d75f6a6c8a4c86cf7f90a69cfc16cd1c84ced290869e00d768d4
MD5 hash:
67bc242d147319d2564077969d7eec3f
SHA1 hash:
533321f9766becf25eb20165a3f2f1fde26477b3
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
SH256 hash:
25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628
MD5 hash:
74aae1b50286c9ab28374a79327ed371
SHA1 hash:
e3b1b5ff8925ceddf82ed803d88dd22534f06796
Link:
https://www.unpac.me/results/4b6c86fd-f38a-4916-bb26-07989c63e2fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25ddae2daf0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/25ddae2daf0f3117cfed10da3447d26c5291a324b44534ed692a873934bac628

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments