MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
SHA3-384 hash: a8dfa390a09445112592b84686b607a6b4e369c979fe1d23107584371791ba14eba3a9c983171bb647b0d3e948ae51d5
SHA1 hash: 1f5658aa75101aec70f48038e09bd20ade00e68f
MD5 hash: aee03bf79fd98dbd7aa66fa6d507c4c4
humanhash: chicken-mars-india-washington
File name:akibet202304021122755.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:608'768 bytes
First seen:2023-04-20 10:16:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:o2iN1qgUdtEc+jgc2JrNpOLQDgnihki+F69COEneaGL:o1CnSUVrNcLegiKimneaGL
Threatray 2'687 similar samples on MalwareBazaar
TLSH T1B4D4F1EA42D09B5DE8412FFE5A055C2827F64DF5C4E4CE4DCAA7B4CB0DBC3218055EAA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
akibet202304021122755.7z
Verdict:
Malicious activity
Analysis date:
2023-04-13 14:04:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eced0e2c-07e2-40ac-b2b1-19352066c479

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383700/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
86%
Tags:
packed
Link:
https://www.filescan.io/uploads/6441112526946732737003c4/reports/cd83e9ef-c68e-4f51-9f6d-b37a38b74f49/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af488cc5-acb6-4582-85db-439b7a81b507
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1217921
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850870 Sample: akibet202304021122755.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 92 37 Malicious sample detected (through community Yara rule) 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 7 akibet202304021122755.exe 7 2->7         started        11 zkStLjbU.exe 5 2->11         started        process3 file4 29 C:\Users\user\AppData\Roaming\zkStLjbU.exe, PE32 7->29 dropped 31 C:\Users\...\zkStLjbU.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\tmpA4F.tmp, XML 7->33 dropped 35 C:\Users\...\akibet202304021122755.exe.log, ASCII 7->35 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 akibet202304021122755.exe 7->17         started        49 Multi AV Scanner detection for dropped file 11->49 51 Machine Learning detection for dropped file 11->51 19 schtasks.exe 1 11->19         started        21 zkStLjbU.exe 11->21         started        signatures5 process6 process7 23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 19->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvgiouxisxsbh4sd3cetzmn2kpdb2noh4rbdhx6ftoc6haxmhsnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3
Formbook
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
Formbook
3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36
Formbook
48834270a70765c001a06f747884bc5289db6859b56609d0a7f2d1fd30cbb18e
Formbook
673a75c1f1f0092d9c281898b7e218b8c1440faa70990a5060bf8e560687e4b9
Formbook
702731122c8b3822ceb48373d0927109dceaad9de6bddb3ea451c3d406be5518
Formbook
a1e44dff73b4a8616ae1b39f3ecf82b457859f3aed8b208ae41e79d7d79c5ef2
Formbook
ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b
Formbook
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
Formbook
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
Formbook
+ 2'677 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230420-mbdejsbb71/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
d85e729c62684bdc5f34613b012f30c0ca59f45c43531eb7a5fbc04ec68f7e93
MD5 hash:
d40976db99bc249211fd127a5844a55b
SHA1 hash:
cc36f5f5418764df2f1a28acc089d31a5e73f3dc
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
Parent samples :
2b25388d41f694e67f7a237681dffe91afa258adbec617a6c203ba6fc0f6ae88
c7b18628cd2f25508290da77b3ad685ecc1d0e80edc5940dd4773b8dbe037209
281905755d85f44072ff82b42789ad01d144ef1ed016cba569bcb73d3e98ee49
354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
SH256 hash:
78c2ddf3d7708086beb5ea57c40cc9f583f53bb38902a6ed8f9f57be3033700c
MD5 hash:
29338e689fca5831fb926f1361c098ed
SHA1 hash:
35dbf3f881074b6dffe491df0a77eebf0f7f3d55
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
SH256 hash:
f7b01ec31e7d61cdb0805f573edb5bbf74a0b6d1d79b3ec5885474d9b1b8ad00
MD5 hash:
ae96fc7e5b3911715303dcdc54861d68
SHA1 hash:
5a25f0c6e0cd9e2d9415a169b7aedc5d1afb47aa
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
SH256 hash:
de65381be9447f2243065809c79e6e8d188096f8bf1685446c119315e89e53a2
MD5 hash:
d0ed6e357ec62cda2852d1fffd272532
SHA1 hash:
07e8a66daea55a6a17d4f4a5aa1b3877e2a534ef
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
SH256 hash:
354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
MD5 hash:
aee03bf79fd98dbd7aa66fa6d507c4c4
SHA1 hash:
1f5658aa75101aec70f48038e09bd20ade00e68f
Link:
https://www.unpac.me/results/01309ff7-1abe-4614-bc78-27ecf4134980/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/354c8752e895/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383700/

Comments