MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176
SHA3-384 hash:	79983a6e4626eaf941cdbd5f42127ad449a833b33d3074ac630f7309e317cf669f2fc857a7cbf588cd93ef16024b29a4
SHA1 hash:	fcf88f192af7b007480f86199e5af303a5eb8fce
MD5 hash:	c400fdb591634dab4a36be5c8da9c159
humanhash:	mobile-lion-mississippi-bravo
File name:	SecuriteInfo.com.Trojan.PackedNET.1822.8001.19350
Download:	download sample
Signature	Formbook Create hunting rule
File size:	834'560 bytes
First seen:	2023-02-07 12:50:15 UTC
Last seen:	2023-02-07 13:34:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:f7awxO5du+RPb7xz0yEkBB7qwvjZczOTZ:DTsfRTdz0y7j0OT
TLSH	T1B705221C2BFDDB20DA2E4BF9247809300B79AC297521F71D0DD261DA2FA3BA44552F97
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.1822.8001.19350

Verdict:

Suspicious activity

Analysis date:

2023-02-07 12:53:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9a9e6467-8ec3-41a6-aec5-8ed7468d101e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/361357/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1822.8001.19350.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

No Threat

Threat level:

2/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e2493a905a5ac3b909a70d/reports/9fcfc8fc-6a1d-4914-af52-8d5c98cf178f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20e7cd12-bd99-4622-b394-37e3058f4a03

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1167655

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-07 11:19:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fzngqsd7wjleb67x2tbffhqxxmqlfskixaxemtuviorf6nacof3a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230207-p3gmdseh7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3

MD5 hash:

b23ff9e28cdfc56d60a68f42b346fc05

SHA1 hash:

e4eb037c7732ab9b73d59b66274816ae605dc3ee

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

Parent samples :

9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176

SH256 hash:

0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1

MD5 hash:

dac31c8bc4e4a583f6571778e0cf57e9

SHA1 hash:

1a104ea41ecf0459fb8f5878182b5b1e48c4897d

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

SH256 hash:

6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef

MD5 hash:

f759d70f3bbee3865d9ba45b70c59bea

SHA1 hash:

f07ca29866cf8b0d92f18904860c40a284a5f550

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

SH256 hash:

65860c3e536e2603c5f5d3229d979de1957d1ac11223a03c427cb6107afc4ee0

MD5 hash:

d4bb6474f088f9a3c70f788844a62a7e

SHA1 hash:

9722a5a9356285e0954c0dc2f0e7b15479374584

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

SH256 hash:

9524ed7e3effe4433ebeddee4d27927ab59ac74cc9f0ae563e265a1fbd4a6a98

MD5 hash:

d8684e566a5f56e03af1281262660191

SHA1 hash:

77894dc7f6bd6c43052a47a15818d499f40ecb53

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

SH256 hash:

2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176

MD5 hash:

c400fdb591634dab4a36be5c8da9c159

SHA1 hash:

fcf88f192af7b007480f86199e5af303a5eb8fce

Link:

https://www.unpac.me/results/a2fef9b3-5a40-416c-8a86-10f5516ff3f9/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e5a68487fb2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/361357/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample