MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68
SHA3-384 hash: c95965fefa8befa1039d5c31cae950e50797691369befd0d84453cac3615d61c0867360e7aab07bd7870b4f9d3081c34
SHA1 hash: afcdecc094bf1b873eab2bf30621601f2174d022
MD5 hash: 3a212b6ecce25fcb1cc280441fc36846
humanhash: lamp-king-white-fish
File name:SecuriteInfo.com.Win32.PWSX-gen.29998.25521
Download: download sample
Signature Formbook
Create hunting rule
File size:715'264 bytes
First seen:2023-11-27 04:54:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:qkkOYJWfo1Yw9p/iYU5F5vEz/UZ3JLHCEIKHAk8RMd7BR6wT:qkWJko1/pFYFpO/UXLHCEf11pB
Threatray 447 similar samples on MalwareBazaar
TLSH T1AFE4F14037F98F91E0BE9BF75571651007B6386A7A22E30C4ED220DF2E72F808A56B57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f278acec0e061414 (8 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.29998.25521
Verdict:
Malicious activity
Analysis date:
2023-11-27 04:55:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36133177-d702-41bf-b728-08703857a5be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460503/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.29998.25521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
packed
Link:
https://www.filescan.io/uploads/6564212a1dea9b05c3cbfd8e/reports/7bc7ea49-c1b0-43af-b935-dff9baa1bbb9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d290e3d2-3958-4388-b81a-3ff85ae276d6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348265
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348265 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 53 www.warzonranked.com 2->53 55 www.saapoyata.online 2->55 57 12 other IPs or domains 2->57 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 10 other signatures 2->79 11 KaAlEokHerLec.exe 5 2->11         started        14 SecuriteInfo.com.Win32.PWSX-gen.29998.25521.exe 7 2->14         started        signatures3 process4 file5 87 Antivirus detection for dropped file 11->87 89 Multi AV Scanner detection for dropped file 11->89 91 Tries to detect virtualization through RDTSC time measurements 11->91 17 KaAlEokHerLec.exe 11->17         started        20 schtasks.exe 1 11->20         started        49 C:\Users\user\AppData\...\KaAlEokHerLec.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\Local\Temp\tmp78A.tmp, XML 14->51 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 14->93 95 Adds a directory exclusion to Windows Defender 14->95 97 Injects a PE file into a foreign processes 14->97 22 powershell.exe 23 14->22         started        24 schtasks.exe 1 14->24         started        26 SecuriteInfo.com.Win32.PWSX-gen.29998.25521.exe 14->26         started        28 SecuriteInfo.com.Win32.PWSX-gen.29998.25521.exe 14->28         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 17->65 67 Maps a DLL or memory area into another process 17->67 69 Sample uses process hollowing technique 17->69 71 Queues an APC in another process (thread injection) 17->71 30 explorer.exe 6 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        process9 dnsIp10 59 www.ejcbpu.top 142.4.122.102, 49743, 80 PEGTECHINCUS United States 30->59 61 clubbiavida.com 66.7.197.23, 49742, 80 DIMENOCUS United States 30->61 63 4 other IPs or domains 30->63 99 System process connects to network (likely due to code injection or exploit) 30->99 40 WWAHost.exe 30->40         started        43 autofmt.exe 30->43         started        signatures11 process12 signatures13 81 Modifies the context of a thread in another process (thread injection) 40->81 83 Maps a DLL or memory area into another process 40->83 85 Tries to detect virtualization through RDTSC time measurements 40->85 45 cmd.exe 40->45         started        process14 process15 47 conhost.exe 45->47         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 03:05:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktnwitta5mshzmuwwqgy5r6in235wptb3mrr4iibezbj4piv7vua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0eab8b2bd23f7d06734b61ba357c9fab1d97758eeb5afe2bd89fc293b88a8674
Formbook
3a243fcc9ace6c3b1f04162072325231d32c2936a98453f08f5098cf90f332fd
Formbook
4e888a7a812be647c1db3c45b41997976b81fcac54dbb3c2c53087518c036287
Formbook
4fa40e3581a918c9056869d70903c1cece412ef17ad7dc2e26526f3963bfe015
Formbook
6a14e79be0398899cfc53dc234f9e51f13705afe8b2cf15c404923bb6706ea09
Formbook
9680fcf70fd9253914ccf18d134c357b91fbce01f3f5161d13d54f0ddd464872
Formbook
be50ecdddf0589ae6dd2b3d8c089ea1382a5ce29053693f12fea2c551c6b379e
Formbook
bea05524bed97521b9125340ed086207cd5b15e3f5d44d704f592ab3ec86e90f
Formbook
d05f9af8ab2a4f8d284f8c55ff0d6bd49148f110d19dee193fafdd8a132b5c6b
Formbook
fa86b4d3e3e4217d2c502925eb6c41fb7a9bf0a17a976fc6a11a849d5861c8d0
Formbook
+ 437 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:wm14 rat spyware stealer trojan
Link:
https://tria.ge/reports/231127-fj44xaed3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
9101f63cbb03a649c58648f38b91cd6b290ab4fdd95d0934359c5d918618f35c
MD5 hash:
755decf194373941933e6046e9105324
SHA1 hash:
3812df7fb7341e40d939cf2e2b54bc4ed3238530
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/43b20d2c-3212-4bdc-9480-f494427ed001/
SH256 hash:
32eb25a5a83b6cb31fb8af15f6ac5d20bfbe6023317f6a085cb02acec28a40e5
MD5 hash:
28e7d694ccd9d2eb0645896dd4cbcb79
SHA1 hash:
fcfcfdbffbe0045b6e883ee6e10d0cbb8f833643
Link:
https://www.unpac.me/results/43b20d2c-3212-4bdc-9480-f494427ed001/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/43b20d2c-3212-4bdc-9480-f494427ed001/
SH256 hash:
f5a8f5ded618fd3989fa98a3c2d87c4853d6e10ecb1313cd5ddd7df375336b31
MD5 hash:
243f9990bb7d68a3f6e4d3999800da5b
SHA1 hash:
ba555175d12f19f6288a3574738bcd6c8b747e3b
Link:
https://www.unpac.me/results/43b20d2c-3212-4bdc-9480-f494427ed001/
SH256 hash:
54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68
MD5 hash:
3a212b6ecce25fcb1cc280441fc36846
SHA1 hash:
afcdecc094bf1b873eab2bf30621601f2174d022
Link:
https://www.unpac.me/results/43b20d2c-3212-4bdc-9480-f494427ed001/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54db644e60eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54db644e60eb247cb296b40d8ec7c86eb7db3e61db231e210126429e3d15fd68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460503/

Comments