MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf
SHA3-384 hash: 1b77ef871927c680922300bdc5e87ae34ae13ff8c01f5953d73daddf9c22bca756ee5810f325dfcf27a5bcd9ef5ad138
SHA1 hash: 069f98c68b9056e592e5e5525358d8e3e224d796
MD5 hash: b156732979da3d9bf2910b2d13c98a17
humanhash: finch-queen-kansas-chicken
File name:SecuriteInfo.com.Win32.PWSX-gen.30802.18675
Download: download sample
Signature Formbook
Create hunting rule
File size:710'144 bytes
First seen:2022-11-02 04:59:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vQAgHtDg5xE1vY/NhqNRa9XW/2SlaYqOjP7rqERY21yFLHoLMc:U452iXyR0MjP3qo12LIx
Threatray 16'856 similar samples on MalwareBazaar
TLSH T115E4C02439EB622EF2739F711FD4B8EE89EEF6322606B47D145007C64722E41DE91639
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0c00ccecb892b1a8 (9 x AgentTesla, 5 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.30802.18675
Verdict:
Malicious activity
Analysis date:
2022-11-02 05:02:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ce428c7-f32d-4358-85f0-c95943994d47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326978/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.30802.18675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6361f953a5db8d309cbc4c2e/reports/6f52eebc-c7d0-49f0-ab95-173e1ffaeef3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f05f551a-cbce-462f-b0fc-9930aa7ae6be
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102970
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735631 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 41 www.bigger-boss-clothing.com 2->41 43 www.streamtoday.us 2->43 45 bigger-boss-clothing.com 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 8 other signatures 2->53 9 yIgfWm.exe 5 2->9         started        12 SecuriteInfo.com.Win32.PWSX-gen.30802.18675.exe 6 2->12         started        signatures3 process4 file5 55 Multi AV Scanner detection for dropped file 9->55 57 Machine Learning detection for dropped file 9->57 15 yIgfWm.exe 9->15         started        18 schtasks.exe 1 9->18         started        35 C:\Users\user\AppData\Roaming\yIgfWm.exe, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\tmpE770.tmp, XML 12->37 dropped 39 SecuriteInfo.com.W...30802.18675.exe.log, ASCII 12->39 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 12->59 20 schtasks.exe 1 12->20         started        22 SecuriteInfo.com.Win32.PWSX-gen.30802.18675.exe 12->22         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 24 explorer.exe 15->24 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 process10 30 colorcpl.exe 24->30         started        33 autofmt.exe 24->33         started        signatures11 61 Modifies the context of a thread in another process (thread injection) 30->61 63 Maps a DLL or memory area into another process 30->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 02:15:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpxubpl2h5aacetcjbpwlikfkbcaxgko2xuqfspirfv7eljfdhhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3d9766bbf57730b0aa1d3d43a8ce30d7f7b0798b82f32d235a06af5cdbb6ab6c
Formbook
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
Formbook
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
Formbook
68635ba1023b53f99082894ea103cd967c00866238a77029660c76738cac4440
Formbook
71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719
Formbook
82478a8a9aad7d755492677e29689c5656bddb130798408bc38a751ccd35cfbd
Formbook
b48856a716e4d78090c3375b66d87b4916fd3993d1b77ef4f4a95de738a4e62f
Formbook
bf9106982a9c4fd6491224b98fe5cf99033e937e6ede6f6ff3bc725f21cb8273
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
+ 16'846 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:adb9 rat spyware stealer trojan
Link:
https://tria.ge/reports/221102-fmznlahdh4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae9ed869-828d-472b-bdcb-0c6ddb174f78
Unpacked files
SH256 hash:
2f2c3564f0cb84536cd2877a88e44289b1f700a11562aaf37bc0e1d4f0093e1d
MD5 hash:
9515ea2ac264c7a6e9c62dda6da6c378
SHA1 hash:
25687e6c0f4d31cb9d27d74d1debaa4ceab7d690
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5d5b5a03-edc3-4886-98b6-ecc8cdf11c83/
Parent samples :
bf9106982a9c4fd6491224b98fe5cf99033e937e6ede6f6ff3bc725f21cb8273
53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf
SH256 hash:
bb5202d2b5d1e23ba0491f3d4e3fa32ac83ab863d0a8457446de7c768ee6127e
MD5 hash:
6c33242d62f820d29f8a2e3991361566
SHA1 hash:
2029de3ed6edf5212927080b0dcd8aaf86997b49
Link:
https://www.unpac.me/results/5d5b5a03-edc3-4886-98b6-ecc8cdf11c83/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/5d5b5a03-edc3-4886-98b6-ecc8cdf11c83/
SH256 hash:
f6710141565af7b4d0d8d5e3ec7c71221f28f9e234062902c83726799d94d00e
MD5 hash:
5b42991f146b102a777999095e49b761
SHA1 hash:
123364bcaceb1739e2bf2fd4b8b548b165ae0d8b
Link:
https://www.unpac.me/results/5d5b5a03-edc3-4886-98b6-ecc8cdf11c83/
SH256 hash:
53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf
MD5 hash:
b156732979da3d9bf2910b2d13c98a17
SHA1 hash:
069f98c68b9056e592e5e5525358d8e3e224d796
Link:
https://www.unpac.me/results/5d5b5a03-edc3-4886-98b6-ecc8cdf11c83/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53ef40bd7a3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53ef40bd7a3f40011262485f65a14550440b994ed5e902c9e8896bf22d2519cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326978/

Comments