MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09
SHA3-384 hash:	e5ed73aec671f4f7a0d61b4567efe1b27db5d52fb33c57021b27166eb790970b208c85e4e824267fdf00c8ab30897d0f
SHA1 hash:	cde536845aa356ad2913f19145156a8289c999c6
MD5 hash:	e49800b715646a9d30281adb67eedc80
humanhash:	green-five-timing-helium
File name:	SecuriteInfo.com.W32.AIDetectNet.01.22665.19646
Download:	download sample
Signature	Formbook Create hunting rule
File size:	604'672 bytes
First seen:	2022-06-15 03:38:06 UTC
Last seen:	2022-06-15 04:32:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:VEWjYZBwBO11TnzUwmj4StRgy7PZ/uw1ve6qvJmpsHnMet56r:kZBUOXTzUwy4Szgy7B2wtEJ3HM04
Threatray	13'594 similar samples on MalwareBazaar
TLSH	T1F9D4E16022BC431AD5BAEBFDF030506507F9B627312AF7AE4B5174C919D2792C933A63
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.22665.19646

Verdict:

Malicious activity

Analysis date:

2022-06-15 03:40:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6ffd6ab5-2853-4132-b0a9-fb49f458f58c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/280014/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.22665.19646.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a9543b96efd87b05f9e1d5/reports/f790f264-f537-4430-8177-3222f0d83abd/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1cbad855-56dd-4ce9-83b3-ab2870196cd6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1013387

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-15 02:14:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eyx3o6pmn7l4lbltyekib4rjh53ibm4nhnroxgwovhjcr3ikf4eq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4930c3f5a795efda4d972d34a905acd87d6b42ce7bd2b2652460390cb9464126

Formbook

69af526dae44e6d6cd6c83d443d2129c948e7c46d099d89f48a4bbecbab61cfd

Formbook

9f37e00170966e5610982ac2e08687d1d7367582d596c29938166a35b11408e6

Formbook

a52dca7952fc2f9e276a79f41db2de5dfc2f7cc77296a72534fb052e0deaf977

Formbook

ec6260e2fa3a7b5c332df32c1c44b13533a481d04add67596e632dc8898464c2

Formbook

f34e09df365f0897826e5b065f1112a53ed7b3b3be76fe90c9fc97658c4883f8

Formbook

fb8a5fdf6e7ff1a272f9384f5205ac8a271907266294044412629ee2c307128b

Formbook

+ 13'584 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:t19g rat spyware stealer trojan

Link:

https://tria.ge/reports/220615-d7l7wsbbgj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

Unpacked files

SH256 hash:

22abd8cd411559d6c2d6665d82495f9955656f03a9cccd1f17b42fb9c25e8a97

MD5 hash:

6a48a2225ff2075094b5faebe11e7df4

SHA1 hash:

09d61dd5729fb37b61dc91de43999d4d1c5ab302

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/c78cdefd-323c-460a-9a04-d25222b345c1/

Parent samples :

d4d430cfe4399aa57154854567d17ef118b6d0eee083b683f81957d2057949b0
262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09
4b8c3b49cc5ceaea396ffc0444d625d7cc3c231b973f2775a23ab3cafece504d
b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e
a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab

SH256 hash:

175cff92bf34ff57c083ad900b9971a1a21a085da649de2f42caa377bf4e0e48

MD5 hash:

05cd6ea0a5af21c23f972501be710822

SHA1 hash:

3634b733bb7f27093d5c01ef6d5c3ac7b94dfb67

Link:

https://www.unpac.me/results/c78cdefd-323c-460a-9a04-d25222b345c1/

SH256 hash:

062594c39230146a21404c1d5e534063e25f027ff1e4d805d37f801f93d0750f

MD5 hash:

0835b250c52733d033d8fc6de998a865

SHA1 hash:

dbe63058e0c9f95bd3e13e48158f427e5e42534c

Link:

https://www.unpac.me/results/c78cdefd-323c-460a-9a04-d25222b345c1/

SH256 hash:

5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04

MD5 hash:

e3df2dd40f0ce5dcd593a52653983ca4

SHA1 hash:

d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3

Link:

https://www.unpac.me/results/c78cdefd-323c-460a-9a04-d25222b345c1/

SH256 hash:

262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09

MD5 hash:

e49800b715646a9d30281adb67eedc80

SHA1 hash:

cde536845aa356ad2913f19145156a8289c999c6

Link:

https://www.unpac.me/results/c78cdefd-323c-460a-9a04-d25222b345c1/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/262fb779ec6f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/280014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample