MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 22 File information Comments

SHA256 hash:	5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5
SHA3-384 hash:	8ea4c50260c5f380826c6fccc96e4e238b2a3dd1abd87810e1dcc4ccf2c22222d4bb4d39c7134abe945c2e1d7361278e
SHA1 hash:	a53c8913bc2ad5decabe1df03550a1eeabb12e8a
MD5 hash:	e7b89b555dfcca8310c7d842003ef735
humanhash:	papa-mockingbird-rugby-maryland
File name:	New Inquiry.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	314'368 bytes
First seen:	2023-11-21 09:22:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:dDmad57Xe1l3i+4xlaHU9N4ah/7/GhRbQ2YxOGtfxQRrX5wqu3:dKSla0cahj/GhRbQ1xhQxqqu3
Threatray	2'218 similar samples on MalwareBazaar
TLSH	T1BA64F094B4AC1F22F4B6C7F442196556EF72259F691CF1693D8A90DBA434F008F22FA3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

315

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/459477/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.62.67.12116.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/655c7702fdeadea4ee83a482/reports/dd227edc-0e94-44fc-b162-70dccc4e01bc/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e6121a4-472f-445d-aa3f-fef6463c53db

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1345696

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-13 20:20:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kim7dgpu6i2lulrnxtq2ygxkskk4suxqptblqrk6ptkd6z6xdhsq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6282a84266a87aa1e62b1304913bfdc8ce4c122f59f5731503f78655beaaa27e

Formbook

a40c92a00ca0f04cd04883d555859cf2c8e884a01329defd3631c7cc61204ff8

Formbook

b2d2e3fea2eadfb727bfb8fd5ff090a1072dfae8b63a7f29d992ee50f820c182

Formbook

bb8548a744cd648172b769babfe7fb42aec25bc35e812f491af41d31c4c92d13

Formbook

c4f6b7795e7c6267497a352a75628f59778b0345d719fb49eca4967a681b5728

Formbook

c953dae7bfd1496fc834bbd6b5346c86275d5b76503aaea43ce8cfb31bcd6e7b

Formbook

+ 2'208 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:o11y rat spyware stealer trojan

Link:

https://tria.ge/reports/231121-lcgypade62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

9a4b43e60f5fabee97075207242bcf5127e8ef726277667f050234fc35e1c810

MD5 hash:

0290553016df26e4890f66f68d91a23b

SHA1 hash:

ffda62ac3fd831ec2e95410f6ffa5b70f4455da1

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/afa00c83-0fe4-4ca9-8fbf-3a25467c3ad5/

Parent samples :

c4f6b7795e7c6267497a352a75628f59778b0345d719fb49eca4967a681b5728
6282a84266a87aa1e62b1304913bfdc8ce4c122f59f5731503f78655beaaa27e
129156f77f3dca373d74c668a7e4250e0812fb36bdb926aeb2ef0dec4c122846
5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5
5485b48416b0245aa21eae044bb2325a0e102681827134bfe8f4344edc0f5e43

SH256 hash:

cf3cb1ed1ab91dd1aca86208468b26e891f535f75ebff7e83184cc306fc931d4

MD5 hash:

2adaed22e634cca06d543f6526b7dbca

SHA1 hash:

be0ad51699017d10ef6006b3d4a1f42c59fc2b07

Link:

https://www.unpac.me/results/afa00c83-0fe4-4ca9-8fbf-3a25467c3ad5/

SH256 hash:

5a5903229951dafdd1888a247c3d3cc6f2a2b550b529da41b8b08a89108dda4a

MD5 hash:

0b828a4e554a269bb8a709dae9fed92c

SHA1 hash:

68944f3e4eddabef5b4de62e0ff41444e33dc77d

Link:

https://www.unpac.me/results/afa00c83-0fe4-4ca9-8fbf-3a25467c3ad5/

SH256 hash:

5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5

MD5 hash:

e7b89b555dfcca8310c7d842003ef735

SHA1 hash:

a53c8913bc2ad5decabe1df03550a1eeabb12e8a

Link:

https://www.unpac.me/results/afa00c83-0fe4-4ca9-8fbf-3a25467c3ad5/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5219f199f4f2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 5219f199f4f234ba2e2dbce1ac1aea9295c952f07cc2b8455e7cd43f67d719e5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/459477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample