MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124
SHA3-384 hash: c69294e96daacc311c73d64080dbd39ce6e1ecf1f83188c92d59b69b82ad088bb86977c493d1207460eee94139b7ab86
SHA1 hash: 8fff79d4dcc22321b7e67afea5169d92d08a2ff9
MD5 hash: 2819516d8a8e7f8e0b9d188a6d5cb44a
humanhash: hamper-ink-mango-dakota
File name:2819516d8a8e7f8e0b9d188a6d5cb44a
Download: download sample
Signature Formbook
Create hunting rule
File size:655'872 bytes
First seen:2023-04-11 09:34:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:FrIX6XeBNCUHrJVXDorlxxnnpY8kf0qbqIhUdkuoMZbyu7FlcyldbzhQq4:F7XqCUrzoBxxnpY8/qb3ZMZbD7zcyTl
Threatray 2'521 similar samples on MalwareBazaar
TLSH T18CD4012D3BB28F21D51C47B91040054163B4A18ABAE1D72FEF93A3C6AEB7B425D493D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atlaszx.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-10 19:29:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1c4a7fa0-8118-485a-b751-43bf464a221e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381401/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif formbook lokibot packed virus
Link:
https://www.filescan.io/uploads/643529c740ffb6ba5fad2982/reports/01a8b474-c5e2-49f1-86a1-0f1a426d941b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b90f363d-78f3-407d-b01c-00b17a77d931
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1211601
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 844518 Sample: 0T7X1jCOEo.exe Startdate: 11/04/2023 Architecture: WINDOWS Score: 72 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected FormBook 2->21 23 2 other signatures 2->23 6 0T7X1jCOEo.exe 3 2->6         started        process3 file4 15 C:\Users\user\AppData\...\0T7X1jCOEo.exe.log, ASCII 6->15 dropped 9 0T7X1jCOEo.exe 6->9         started        11 0T7X1jCOEo.exe 6->11         started        13 0T7X1jCOEo.exe 6->13         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-10 17:30:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilycl52exolvbfbfvr2jvwtmedxwioorspstpiatxga22tjb4esa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
37372679b024d50d46f5c1dbe0c0e1de65ff4b97a8e3915d229982769c891a2b
Formbook
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
Formbook
747dac1e7f06dfc43cd785fda4ef50c1b8f8dab4d02087f167c51c4ac465af3d
Formbook
830b7b74693b870abe6d20862ab5f5ab206cdf6e49755d9d542c9124f6646c1e
Formbook
b15e539ba1801af269c976fa743708a0fc474fcdf6ba3a7433a08dfbf9eb1425
Formbook
b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
Formbook
cb3c0c6adf5820177be2e484c182b3275255c00deef036765c197e8be0b4d16e
Formbook
e05dd4fdf0071a4108eac210a9eeae5c2bfa44d80dc8eac941f4e4a0d1fc0aa1
Formbook
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
Formbook
fb4c3c803b69b2823f0bb584ef77da38f17eaf18184058249b6dd7664234cb53
Formbook
+ 2'511 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230411-lkcc6sdc8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6424147cfa80b31962b62d94120f948c5627c9d4741fc58cdf730926ea9a8c94
MD5 hash:
738cba6e8d08fc6f7c533792e5658c66
SHA1 hash:
85ae422f1e1a9777842acbe1c813b54677926caf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
Parent samples :
75583232ee4a3c0e7e7f6f996b83ce4bfb4d5274a484962490147c285a58a623
42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124
SH256 hash:
d8b2da038f82630f207fc12f1c02c82a91bccbca7588351510b3fc11c4d70041
MD5 hash:
f47717a2774d331c1bd664d2d7edc047
SHA1 hash:
3036f25eda44fd2c8374473edc5bf8c3dbfe67a5
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
SH256 hash:
c241e054f85ac2594e19a136fe67947a4c963025e1d03b248891912ea540f3ce
MD5 hash:
7db4dafc46791713ccee55d5150001e6
SHA1 hash:
d276f2b786f138a4b865367c6203ae9f22b915af
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
SH256 hash:
0e24f238fdbc4d44e72607ab6451a695824e3f44c89a06bcb7688c751335ea93
MD5 hash:
3e9cced1c6e499ed12c847a34504f3ef
SHA1 hash:
34f81052e1376a339fe20f03b4396dbfa770a390
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
SH256 hash:
bbc08c0b159a0aa46eef11326e4ac3669e442583516ca20dd2d2314e59d9ed2e
MD5 hash:
0af8d1210796af0fb06f9dc630bf9824
SHA1 hash:
00cf73c311cd0b976cd9ab22b2362069ecc96e2a
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
SH256 hash:
42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124
MD5 hash:
2819516d8a8e7f8e0b9d188a6d5cb44a
SHA1 hash:
8fff79d4dcc22321b7e67afea5169d92d08a2ff9
Link:
https://www.unpac.me/results/facb9972-20ea-417f-a8dd-b12a5ca0de76/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42f025f744bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381401/
  
URLhaus
https://urlhaus.abuse.ch/url/2605461/

Comments


Avatar
zbet commented on 2023-04-11 09:34:13 UTC

url : hxxp://208.67.105.179/atlaszx.exe