MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace
SHA3-384 hash: 9884c416cfd8c23d37d6c6edd85639f8f21192067839db0bbc187082323e2cc12bcdf86c34a8863747520bb5f59e2d92
SHA1 hash: e73d1b324855ad03d1f644f8d72f9d29068c5811
MD5 hash: 78dfb0ba8e1d7d1f99986e0e89eb9da8
humanhash: hotel-oranges-one-rugby
File name:REF 225050.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'113'088 bytes
First seen:2022-03-24 09:57:35 UTC
Last seen:2022-03-24 11:44:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:E/0IQp6iKxqOHWTgIjG9QYULwUkfq8cOVjarMqJVkFlMb65dmZndIWij5KP713DM:4pHWTTjGeYD7C8XVSMM05S70fNUvs
Threatray 13'741 similar samples on MalwareBazaar
TLSH T15F35124672DBCE12CD2E9B7C449BD23013716E169523D71A3CC82DEB3B6A7D26B054E2
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
925
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257120/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Keylogger.AgentTesla.9791.2294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/623c40b3dfdfa8501cd7dc07/reports/6f7c1e05-9ffb-4c60-94d0-e8ddb99c55fc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcd246ef-21b2-4749-a030-522d8fc9d0ca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963659
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 09:58:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioo3l5u3jeerszgdgxczo66g3p4kuqjzrubeaqin724jrlox3lha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
190b1831c5dfcd818fb3a4ff19a5a0ebfdaec9598e71c7a8c9f56f6ac9e52c6f
Formbook
2b4ae3511a344b0417708b8bb5765da86678d5a8c4d87a367eec42937d242965
Formbook
39d7f0b102aca1db8c71a3a7af79ece2aa2100dbaf1c20237d75e36271833ef2
Formbook
9f085df3f1da75ba799ca984603fe267f891be8e6ac24c52b907cc97e6879467
Formbook
a2c0c62a11f867cff9fe7cd1b2597c9a7bb1c268e18e35289d6f7afdb2adbdbc
Formbook
b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
Formbook
c86f3a2110ed2a8498cf30d4ab88cf9ea18edc612835fe2b369e7596dafb802e
Formbook
d67265883ffb3f3129132bfe1dad4a828c887266a0a005e814bcda58c525625b
Formbook
fce51b6f1f69629c651dfaedbcdcb55d25da39e8184614c1cb26e4c247f6d3ac
Formbook
+ 13'731 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
6d0548df967b7390cfd5bcf0969bd64a4f4f682053e64336b7f698c45e6efbb7
MD5 hash:
8112b6330d54935ca1c897b73c02d32a
SHA1 hash:
4de0774399802342d005f395a7fd0ed8a7ad3d46
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/db08fbc7-8552-4a4a-a2d4-f2994194d733/
Parent samples :
83e2d139b07165c8ee6bb9253d4a1df920ee6cebaa0d5bd16723848dc0c5613b
782df1aaa2744ba6a9efd5c9c05e16293e43a10093ab651866ceb009f977a9f6
350f69de23d0f180b69a85ef2b3a09195ebb95ac525d09082504d955f63f59e1
c86f3a2110ed2a8498cf30d4ab88cf9ea18edc612835fe2b369e7596dafb802e
a2c0c62a11f867cff9fe7cd1b2597c9a7bb1c268e18e35289d6f7afdb2adbdbc
439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace
934cdab74883aa6b38f53310f73ffd5b8c4a175fad14b9eb5c6873653242410b
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/db08fbc7-8552-4a4a-a2d4-f2994194d733/
SH256 hash:
dd347318ee0b98762e272d6ccf6045fc6820c0bdb069036d728482d4028eebd2
MD5 hash:
b872bf1ee6be2e7eb5180ed2028e2237
SHA1 hash:
07f167dbe2092105bcdd9ff021a16060dc42234f
Link:
https://www.unpac.me/results/db08fbc7-8552-4a4a-a2d4-f2994194d733/
SH256 hash:
69904947865f21b99fe6b18a5bfca863f24119cbfcec497357ecd399e96a6198
MD5 hash:
3a683f37940ea13bdf07e432e0e5e852
SHA1 hash:
068c2f1483d8b1c7d0c96172d32392319671fb56
Link:
https://www.unpac.me/results/db08fbc7-8552-4a4a-a2d4-f2994194d733/
SH256 hash:
439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace
MD5 hash:
78dfb0ba8e1d7d1f99986e0e89eb9da8
SHA1 hash:
e73d1b324855ad03d1f644f8d72f9d29068c5811
Link:
https://www.unpac.me/results/db08fbc7-8552-4a4a-a2d4-f2994194d733/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/439db5f69b49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 439db5f69b49091964c335c5977bc6dbf8aa41398d0240410dfeb898add7dace

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257120/

Comments