MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d
SHA3-384 hash: 6a0728807386008c52bf3b04270413839f472dec41a55583b22d583898b8e4a3821136a3003a859bef6fe74064e92d41
SHA1 hash: 0922d61a7face479a215fd9af4100664bb858fa1
MD5 hash: cb806214e182d54193c1653af9a1aa72
humanhash: cardinal-march-kentucky-arizona
File name:SecuriteInfo.com.W32.AIDetectNet.01.22030.13716
Download: download sample
Signature Formbook
Create hunting rule
File size:842'240 bytes
First seen:2022-07-20 15:33:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yN9Vaq31huG7FK1odS0fgkMEN6j6jpnr3u6NOFPCSAGo3HJ2Ye:AAOuUK1ozjMM6j6Nr3mxo
Threatray 15'814 similar samples on MalwareBazaar
TLSH T1B105BF057AE7CDC2C1784AB2CCC2704853725E09D42ADE8B2DC731D65A327D699F6A8F
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 62ceaea6b2969e8a (1 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/292957/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.22030.13716.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d820edf8c498cd9c529111/reports/5b4c5c76-e6bb-46df-bd6f-8093e646a182/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037699
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 13:54:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhwqnvcvmhn4tvvhjmywucvbjfcdzfsrgk24vatqh3zjgba6mboq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0529130f4cb86fd0a8dcbd0d2ade580d721248a0503f20823373823a481aa7df
Formbook
19abd30bf9cb709307f9d1d1a2eda16d087dc4b699732841ea5a210aede0ebc4
Formbook
1f72cb6a89b2416ff755cd63ae5bd2c0016846f5351227cc80e2242060e88a1b
Formbook
4d69d40bb281b4f3e23d1a12e060e7705b2b4ac67ede8ea6ec593d1a5991d960
Formbook
7163a32593b5045deb3bdce59153aa423a4fb8a7b155d233040945455e9c23fc
Formbook
7289c62df413cf5b9c8cf723141af1017a8ee827b99b2ef47150032cc2e83f3c
Formbook
73a8edb10431e28b5accb188cfc72d781112cc710b0b5fe80e1a913bc6022030
Formbook
ee24a04b1dfb099dba9c6ea59d5225ad4f9a626d622475f5a77f2d325ff260b8
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
Formbook
+ 15'804 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220720-szrjzahhap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
07192c650187c2ab59220583e1ce2a3ae3624d507dfc4103bc53f03166831055
MD5 hash:
3b54c2596a5047bf6d02679d80ab2399
SHA1 hash:
a60b3f27b883a87efb630ff5e3b6e5f005a3acab
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
Parent samples :
39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d
52e90b9f47896b2e091aeed7f2c939a1fb3380244684c2dd0cca49bf96cf2ea2
3cacc05e5b48854e2657ab6cb9e9fe64a531e15c36b5672160916b40cdeb3c4d
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
SH256 hash:
25eabca97a43d74b648b784b2bc98ce0f83679233b8e48ea06f8c33a99658f05
MD5 hash:
5f3b805fa33bda655146b92fe628b686
SHA1 hash:
c0aacddde30f66f26202be8a7a60ad0568e9eb5c
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
SH256 hash:
d9ec0e5f48d5a236353f067594150cf2d89ac9d34a2bb9cf93b5a037ca534098
MD5 hash:
b6fc2ce3d09c952e723f0a6c73bc0d88
SHA1 hash:
0e2655b9dc7c9ea0f3f9878ede22254fa64731ec
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
SH256 hash:
39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d
MD5 hash:
cb806214e182d54193c1653af9a1aa72
SHA1 hash:
0922d61a7face479a215fd9af4100664bb858fa1
Link:
https://www.unpac.me/results/6911cb9e-ce4a-4387-914a-36578f4a44e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/39ed06d45561dbc9d6a74b316a0aa149443c965132b5ca82703ef293041e605d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/292957/

Comments