MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b
SHA3-384 hash: e08ca00865dfa528697c5a1d8b65c62a408e666ff57f34fb6e2d39a49fcbc165e1775afbdd3dea3f314a4fbd3f97bb58
SHA1 hash: 194ab5ea2f9dce656094bec51de2ba82e27542de
MD5 hash: b7665e29235400f9e7dc8a695ea74806
humanhash: venus-saturn-aspen-hamper
File name:SecuriteInfo.com.Win32.PWSX-gen.22879
Download: download sample
Signature Formbook
Create hunting rule
File size:841'728 bytes
First seen:2022-09-22 14:09:57 UTC
Last seen:2022-09-30 08:40:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+u0xjPKYGaJTf2jsKXRKGXQzjMMXSNodd2YTOZ06e8ez:MmYD9f2js6PQzjMsSyyYV
Threatray 15'962 similar samples on MalwareBazaar
TLSH T17F05DF2297DA5F4BC01163B89491C6B157AAEF05D03EC2476EEA7C9FB0B27D19221F13
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.22879
Verdict:
Malicious activity
Analysis date:
2022-09-22 14:14:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57f0e782-80a4-4518-abfd-c272b920df25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312364/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632c6d06b333b2ec6b42b4b9/reports/14e7a298-4765-469e-a094-30bf1c590a8b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71d822ba-fdab-45ea-9b27-f0cf4469160a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075349
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 14:11:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khzk5vqoj2koj72efkajwy7u3u5almvq5dlnvvpfsx34fia7revq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
098ffd461615734bfd5dbf239b55879a23d7a4b79665fbeca75d1bd01ca9f0e2
Formbook
2e22d1469e5bc652bc2a5d4180e4ade7f280515b12546416dd9cea6ea4b2ca3b
Formbook
5c58e2edb4b7fa9a04901a73e7f34e5a93aec5703e03ec87f79b2799b7be7119
Formbook
6c965da9d80ec1d06808f408eabc3bb38581c9a3a862179d5496b35320f80a81
Formbook
959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687
Formbook
96df49e0deef67a2fc032cf1018662606bdef066655c1f31f135ccf8e68bace5
Formbook
c0b433e9f4a2438b5647e9e2e236747cc55e931e46da8e52531b1c70786467d2
Formbook
+ 15'952 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:lsg6 rat spyware stealer trojan
Link:
https://tria.ge/reports/220922-rgqz2sfder/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/320ebff1-34d5-417d-bf42-c27719cd361d
Unpacked files
SH256 hash:
2b973882d230daec9bb453ade787729b8a2425f237a43cec483b87ab3c78811b
MD5 hash:
bebc1db2e8261b4ba9d191b90789d92c
SHA1 hash:
dc241d081836dde0be5ac13e2eb5e66af5e2b640
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
Parent samples :
ba31a3552408e0705d29a1021b662de94a2adda9f5e994ed99ac78c89ff32f18
877b26e0bec03030ed3d0d7a92c53c46e6f696df51be924817421f1685d21b50
96df49e0deef67a2fc032cf1018662606bdef066655c1f31f135ccf8e68bace5
70d121cfabbbf118335b8ae4f6a3a072f09ce2f11bd73c711120fa9070d608e3
a0bb4aba51b98f18ee5fb62cca841faf2e7aabb304300cc7d4d90125cba09d61
c79bd4c69c806e1516f6cf2160ffa1172e074fbe652bd3793f661aaa39cccab9
51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b
cd5be9697ae42581a073c8bb97da6b7d67becea5e83b4dc259b0e47ef54029d9
e8911ed914364aaa1dbffcfe55c53e2932e9f38ea490523a8bcaf8e13633187a
SH256 hash:
2107e4fc16f2700371be9880d4b26327a4aa8544cfbe3db136214d3a45f6159d
MD5 hash:
6e3021ff5fd4f356c25537fcc8848c42
SHA1 hash:
98d45ac91c83f1cd1b8202c0c0406d834cca2e3f
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
SH256 hash:
e2c5312b9223a3655a5831557cf21305adcbc9d9c72fa716919f362616126380
MD5 hash:
7cabf69605be8bb3a07c1c9e45b18f42
SHA1 hash:
8de08141c8f6284beb133318913f734d5f4da9c3
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
SH256 hash:
51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b
MD5 hash:
b7665e29235400f9e7dc8a695ea74806
SHA1 hash:
194ab5ea2f9dce656094bec51de2ba82e27542de
Link:
https://www.unpac.me/results/a0733e8f-cb05-43af-967a-cdcb96f8b9f4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51f2aed60e4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 993f8563f0514079ca2b55cefb8201358ec7a3aa36e968abe1e87b834888aa3d

Formbook

Executable exe 51f2aed60e4e94e4ff442a809b63f4dd3a05b2b0e8d6dad5e595f7c2a01f892b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/312364/
  
Dropped by
SHA256 993f8563f0514079ca2b55cefb8201358ec7a3aa36e968abe1e87b834888aa3d
  
Dropped by
MD5 59a954924e35f0f0738185fda002e60e

Comments