MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
SHA3-384 hash: 0ee6159804e02981758aafae16b25f52092e118fbcb4d06d56bbcf77cbe01ce6c8b6b4a27548d2db4a9bbc20e446f756
SHA1 hash: 2ff954f2f223fe6e9fe2e78ace13427f07a5e69c
MD5 hash: 85c27234aa291cde56c1a78603d71081
humanhash: failed-double-whiskey-low
File name:85c27234aa291cde56c1a78603d71081
Download: download sample
Signature Formbook
Create hunting rule
File size:679'424 bytes
First seen:2023-10-03 15:55:41 UTC
Last seen:2023-10-03 17:34:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:uXiSAx5PWPQKpES7mmrcBzA5DpdwzV1PLR35XkYfdxTMcTIuIdY1Be:uX7Ax5uPdBcKpdwh1t3K+TT7IQe
Threatray 6 similar samples on MalwareBazaar
TLSH T160E4EF7A61F56AD5F4EA5EB75C5180407EFB5C0A9E20D20DE84831F8123379AC24A6FF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.2370.4675.16190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d014edd4-0060-4db1-81f8-eff763b4b547
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318861
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318861 Sample: Wh8Bi8EnPe.exe Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 6 other signatures 2->58 9 Wh8Bi8EnPe.exe 7 2->9         started        13 xjNfBkrg.exe 5 2->13         started        process3 file4 46 C:\Users\user\AppData\Roaming\xjNfBkrg.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\tmpC253.tmp, XML 9->48 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 9->62 64 Adds a directory exclusion to Windows Defender 9->64 66 Injects a PE file into a foreign processes 9->66 15 Wh8Bi8EnPe.exe 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 22 xjNfBkrg.exe 13->22         started        24 schtasks.exe 1 13->24         started        signatures5 process6 signatures7 72 Maps a DLL or memory area into another process 15->72 74 Queues an APC in another process (thread injection) 15->74 26 JKnIBdvetLkqNp.exe 15->26 injected 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 JKnIBdvetLkqNp.exe 22->32 injected 35 conhost.exe 24->35         started        process8 signatures9 37 wscript.exe 26->37         started        50 Maps a DLL or memory area into another process 32->50 40 cmmon32.exe 32->40         started        process10 signatures11 60 Maps a DLL or memory area into another process 37->60 42 explorer.exe 1 37->42 injected 44 JKnIBdvetLkqNp.exe 37->44 injected process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 15:10:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iz6ffkippuj6cuyyzwggrtgtja7x3zohfdirg6iwwh2ebkq6cdeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0dbd5fe8345cdb46f5611862dc31279c99cd60bb4931e6d924f34e84519f35b8
Formbook
308bba46bfcb12039b06105bef71afccd82acb7df7658a8a4497c1955c67ee5d
Formbook
3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6
Formbook
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
f171f8699ea2ebefdf7cdf2665d344cb46d0095c3fd89da5ed3c2bc0bdb3aaf3
Formbook
f4c3fd0e00326b94391240d6f460ef2501f5985e6e09d3e2e4728441c91417e2
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231003-tdb3tsdc5z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
bee48cb265ad0298ea643510c578d72a02b3b91981bcc128f1f7096b7a014095
MD5 hash:
64ec8a5b9495c25a0c5c66819c063167
SHA1 hash:
2187ab805f9783cdd818735c229c068be5d077b3
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
SH256 hash:
bfdeb419dae055cb8ebab3a2749dd7cab9f264efec3f3ca06b29b89c7ae023b8
MD5 hash:
a585a18501458db1b2043805fc99c387
SHA1 hash:
62b560f1aadc8b3c17175f59ef29a471f2bee850
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
SH256 hash:
54431b8241482126d4250c1e4afbc5ed230f4e5ec3f3d329816b5d8736658270
MD5 hash:
864b2a21cd2fe90f9fb3e9dfc6172415
SHA1 hash:
9b3d2ec6dbbb0b93d5d9d16da962aa0332b9152d
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
SH256 hash:
4d78b0619be99ccb136ef2c87e9e15343f332224634aa1806c8d4bb28b8483f9
MD5 hash:
726142203fb68f0949cb3f0784c98898
SHA1 hash:
8005a61bcfb2518aceef7fd7bb2e550a59c83c6e
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
SH256 hash:
467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
MD5 hash:
85c27234aa291cde56c1a78603d71081
SHA1 hash:
2ff954f2f223fe6e9fe2e78ace13427f07a5e69c
Link:
https://www.unpac.me/results/44a1e0a5-007c-4ee7-8922-709529f46506/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2716162/

Comments


Avatar
zbet commented on 2023-10-03 15:55:42 UTC

url : hxxp://198.46.176.140/250/audiodg.exe