MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933
SHA3-384 hash: 1ce67058797b0c4b6a001d8f5b2eb57f41392baf6222c0111ac1661e9a3ae88fa8ffbe444adaf301d33a7ca3fd9cd08d
SHA1 hash: 3c05b36c012ef6c038a619467b9d483d98f73a6f
MD5 hash: 1ce60bdb0fa8691cb82f51ed461ef673
humanhash: bluebird-fillet-nevada-mars
File name:Halkbank_Ekstre_20230426_075819_154055.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'007'104 bytes
First seen:2024-01-12 13:13:16 UTC
Last seen:2024-01-12 15:17:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:VVwoIc0zQMM0cNnqr49tIl44ORRDG62trGlx+EXoul61zJdX8Usbh:rwoIc0FFcFJ9tk7ORRSyLoW61787h
Threatray 115 similar samples on MalwareBazaar
TLSH T1F8257ED5F150CC9AED6F06F1BD2AA53025A3AE9D94A4810C569DBB1736F3342209FE0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo Halkbank TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470526/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a13b235d1422b20811943e/reports/4ca6f6cd-72d2-47f1-b59a-c86964a5bc5d/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50143a2e-20e6-4ce0-91f1-42f7dfe8899e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1373737
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933/
Threat name:
Win32.Ransomware.Loki
Create hunting rule
Status:
Malicious
First seen:
2024-01-11 13:35:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gprbs7epajdwpaydkdmvpicy4iosdmkfotmenoelyg5okb74lezq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26ed54f0d441f0f3dd744f03f30d8f1fa01de0ed267df7b7fec4c9b2eab742d2
Formbook
3bccd5cdf61005f1008359d1fbf6bd705994189ddb234bdd25dc433866aa1f1f
Formbook
3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
Formbook
4efc9ad66b0d09b4e5ddae9e2c02bd112cb6e8cb7e9881969f231a10768b558f
Formbook
5b1fa880d6f314e204011dae8376ae6766d350277c5b80859efe775b5fd7091b
Formbook
afd7592da43e21b2731f1fd0e3c11b95e5d87ce3ef2967240089331c7bb367d6
Formbook
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240112-qgndgsgfbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
0c6d69a44ab790d2b5c969bb6fe745922c021c5a8045db416d95d66fea7f6949
MD5 hash:
d4fa28533a5dab916e6b1b29272d9894
SHA1 hash:
0b525a5bef5a0a5588f6d5279eae2760df5dcb60
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
SH256 hash:
a99197a2e3f477d15802a9b2250a01f7cd2be8ed435141a4e280307f2a7f2b7a
MD5 hash:
9ac50796df27f8b3977d71000d15927c
SHA1 hash:
dcf769debf4522b0800188ab9cbef26d1dbe8aed
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
SH256 hash:
05c701e796567a98afd664481f2667abff69a58a6d8ad3af7616a27cc4f36ed4
MD5 hash:
4b462faff3377bfbfc79fa40c9e87b60
SHA1 hash:
f719f9c1dd83df22a212ac700cd56e20e7fd892c
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
SH256 hash:
f7db15a8f6f99766b335652f914252b82c47f8c3b2eb635eb68efd24c9d33b70
MD5 hash:
522c3e23a74c684628eddb7a7740bb34
SHA1 hash:
2fc4bed027df11603febbc3eba0f65a098560664
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
SH256 hash:
33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933
MD5 hash:
1ce60bdb0fa8691cb82f51ed461ef673
SHA1 hash:
3c05b36c012ef6c038a619467b9d483d98f73a6f
Link:
https://www.unpac.me/results/d856664c-35c8-40a5-b319-a28d9ab2148e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 33e2197c8f024767830350d957a058e21d21b14574d846b88bc1bae507fc5933

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/470526/

Comments