MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9
SHA3-384 hash:	8f3ffd104321ad5b702404881f0c2639e55604e95ad386023669d3b829ad3eceebd9401d687f52623a8e5cae4a24f073
SHA1 hash:	0729e7e1300ab2b0fa9cf60d32cd2a15276a1f87
MD5 hash:	a57ad3a116cc0b544c63e7655047570f
humanhash:	bluebird-foxtrot-diet-skylark
File name:	Payment Copy (MT103 _03 _171023)_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	606'208 bytes
First seen:	2023-10-23 11:32:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:p//s02mvB+6ld9l/5ReV2fqy+/xCEL9HJfC/6afTTpcmUbgR/mZRM+:p//Z2mJ9p2hzhppqDrTpEgkZR5
Threatray	127 similar samples on MalwareBazaar
TLSH	T12DD423112ABD6B92D87E8BFF54A3142153FD8F1EB133E35C1D5614CD606AB20A2A1F4B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	TeamDreier
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Payment Copy (MT103 _03 _171023)_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-10-23 12:04:29 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/1dd0b233-c728-485b-a0c3-b5673378e84c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/653659fbe3768e7905c766cc/reports/960e8820-decb-4820-b399-9c45ea12134d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9a7fe74c-de5a-4481-b4f1-3bd0129dd43c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1330533

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-20 02:44:57 UTC

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=exugcdkihz2lvrf7y4mjayhh7xxno5pw5awnngz2g3i2ck2ofl4q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:eg02 rat spyware stealer trojan

Link:

https://tria.ge/reports/231023-nnwx4agb5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

d8cea6959178d5a11c3f2a6adb96be88ff20dbd8574f63192ae707871ee04a2a

MD5 hash:

c2b85011809883903b0826f7615eabfa

SHA1 hash:

dd531edc87f80620d3d07a11b0d8f96d6656738e

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/73ad1335-2fc4-46c0-a54e-ddc560f5d9a7/

Parent samples :

0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4
f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949
0372bd9c40187e5b4df86dae74c475d5f7b01de4424281dda221a579be971fb8
25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

SH256 hash:

85cb15c8faf9637dfa21fdf4934793c2fce7a9e1fab54091645069c97357e860

MD5 hash:

0b89d8fc23753531ba10e3367e73751e

SHA1 hash:

c421597d6a8543f5fdb33de1075c0d56bffa7cf4

Link:

https://www.unpac.me/results/73ad1335-2fc4-46c0-a54e-ddc560f5d9a7/

SH256 hash:

cf596b1de95eef2d3b1d062241bf7fae076f4dcf8d0e7fb52dc9d534aaf001b0

MD5 hash:

31ef110d9a4a9000d26c785672131dcf

SHA1 hash:

911d57eaccc26277910e67cd07e762933eb7bcc4

Link:

https://www.unpac.me/results/73ad1335-2fc4-46c0-a54e-ddc560f5d9a7/

SH256 hash:

e7c9ff8519774eefb66d826ba1a10b4b8e05b082111fb306106649897290c242

MD5 hash:

b3c5147bc4c7645777a556b085446b19

SHA1 hash:

292acd0deaa0f1ec49150909f3993c23cd0037a6

Link:

https://www.unpac.me/results/73ad1335-2fc4-46c0-a54e-ddc560f5d9a7/

SH256 hash:

25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

MD5 hash:

a57ad3a116cc0b544c63e7655047570f

SHA1 hash:

0729e7e1300ab2b0fa9cf60d32cd2a15276a1f87

Link:

https://www.unpac.me/results/73ad1335-2fc4-46c0-a54e-ddc560f5d9a7/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/25e8610d483e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample