MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36
SHA3-384 hash: f77cca264ac317f4e1beb290f0faccd78f37fe88b66a226f80b290c11a31b2728bc7f9e66e1058a2e7f3caf3cf3b58f3
SHA1 hash: 1beaebe90dedfd1794095d2102b2c63ffae47584
MD5 hash: a796251ffee9c25753eaabf7dc269716
humanhash: yankee-bulldog-moon-september
File name:update.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:290'304 bytes
First seen:2023-12-29 23:59:28 UTC
Last seen:2023-12-30 18:58:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:3A7gLat1cyT7Bnj9UL6iA7gLat1cyT7BnRb:w2aDcyPVSi2aDcyPV
TLSH T1A7548B3721C4F222C0595ABCC422BAFA1679DDCEDD22926FEE86BD96B431DF04973510
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter e24111111111111
Tags:exe xworm

Intelligence

File Origin
# of uploads :
4
# of downloads :
349
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
bomb.zip
Verdict:
Malicious activity
Analysis date:
2023-12-30 16:52:42 UTC
Tags:
opendir kelihos trojan loader payload stealer stealc netsupport unwanted purplefox backdoor amadey botnet phorpiex dupzom vidar redline phishing lumma redosdru risepro guloader evasion nitol servstart agenttesla
Link:
https://app.any.run/tasks/86d9e27d-90b8-4de1-9bc7-e5b276dca0dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.50435.4728.32429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the system32 directory
Enabling the 'hidden' option for recently created files
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a file
Launching a process
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/658f5d83f4b6e5e1635f6e6f/reports/d7ae608f-44e2-4f49-a5dc-855f9f45a3b4/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fd75834-87f1-4cce-99e3-0c43c1bb3f18
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368154
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368154 Sample: update.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 38 ip-api.com 2->38 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 4 other signatures 2->54 8 update.exe 1 5 2->8         started        12 WindowsSecurity.exe 2 2->12         started        14 WindowsSecurity.exe 1 2->14         started        signatures3 process4 file5 34 C:\Windows\System32\WindowsSecurity.exe, PE32 8->34 dropped 56 Detected unpacking (changes PE section rights) 8->56 58 Bypasses PowerShell execution policy 8->58 60 Drops executables to the windows directory (C:\Windows) and starts them 8->60 62 3 other signatures 8->62 16 WindowsSecurity.exe 14 2 8->16         started        20 cmd.exe 1 8->20         started        22 powershell.exe 21 8->22         started        24 WerFault.exe 12->24         started        signatures6 process7 dnsIp8 36 ip-api.com 208.95.112.1, 49729, 49742, 80 TUT-ASUS United States 16->36 40 Antivirus detection for dropped file 16->40 42 Multi AV Scanner detection for dropped file 16->42 44 Detected unpacking (changes PE section rights) 16->44 46 2 other signatures 16->46 26 WerFault.exe 19 16 16->26         started        28 conhost.exe 20->28         started        30 timeout.exe 1 20->30         started        32 conhost.exe 22->32         started        signatures9 process10
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 07:31:13 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
16
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbovo6waaaqfzqlkybsxgp63qkxfunjlu3bvctp3ikb356pqpi3a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231230-aabhcafbf9/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36
MD5 hash:
a796251ffee9c25753eaabf7dc269716
SHA1 hash:
1beaebe90dedfd1794095d2102b2c63ffae47584
Link:
https://www.unpac.me/results/31565164-2d37-44d1-9f86-85c7461fc9b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/305d577ac000/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 305d577ac000205cc16ac065733fdb82ae5a352ba6c3514dfb4283bef9f07a36

(this sample)

Formbook

Executable exe dd2a03e7f1522a6534e876ad3379572034e5c92733de349bb5bb0342f7173eac

  
URLhaus
https://urlhaus.abuse.ch/url/2745294/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 dd2a03e7f1522a6534e876ad3379572034e5c92733de349bb5bb0342f7173eac
  
Dropping
MD5 e58471f8d1dcb70c1a8912d1bca30a3e

Comments