MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
SHA3-384 hash: 949128d1d875bd7f60a35f8920a1f50b2d4371d6e471b6799de656f0e3957cc0ce9108112498872e57cd041032c1e841
SHA1 hash: 0c3372f7d0791de62621b25d098c9aa7728b8526
MD5 hash: 4aec69a71dff9be27f998272b34a445d
humanhash: seventeen-idaho-nineteen-west
File name:4aec69a71dff9be27f998272b34a445d
Download: download sample
Signature Formbook
Create hunting rule
File size:613'888 bytes
First seen:2023-11-05 19:16:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9DEoaE1esky+M3jbiodoMyuN4efIMHMcx+7gk+BTyPXlvqjvm:9nJFlpoMysHX+c/B+XYS
Threatray 79 similar samples on MalwareBazaar
TLSH T13AD423A0A2BC8711C4F54BF6F5B4651093FEE673B212C2190DF7B0E14EBAB055A63627
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458128/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2504.10035.17898.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6547ea2ee0edd2ae550a0714/reports/8089109b-a891-4402-b01a-4adabcf79bed/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1977a8b-cfb3-411f-9ef6-d0e556acd5ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337319
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 15:29:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzuyib4i2go3wihyixj3576uxjabrbqchs2dj7eujlmmfqacxbga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42
Formbook
1cc327be5ca8d7bd4cd244e9cd90454611559df4e971c3bd6649682413582c1e
Formbook
3ea69a1a0c5cc196a71ab1d7754abe0683813ff321d59d731bb72d2d3d076f3f
Formbook
5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
Formbook
7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621
Formbook
8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Formbook
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
Formbook
+ 69 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231105-xzcg9scf39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
741df06bf37b6f750c293e4604ee9ce314ce42817d10f64880255883136e2e0d
MD5 hash:
ba4c6697b371154d311f88f5ef6cecf5
SHA1 hash:
65309d906bfbc6d533d5e6166eface711cbb7297
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
8569fdcf712a9a1536ea68774c55bf92906ef715ded919f09473ffeeec090515
MD5 hash:
5a1ef60cdf5e8fdd4dd9f77a3bf3d553
SHA1 hash:
d8f6dcc33ef966632cb62213639d1a17b992f782
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
4f8babfd46ebc30de29d0e06c42d8fadc0d2b9badc1a4dea753ca673b3fa4776
MD5 hash:
f0a9967c6a451a6c47795bba01ed3566
SHA1 hash:
f683bbb8db7ee3b4c76cda30bbbba10e21045e82
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
364c9da7ed728a7e242434822ee981bc63708da2425eb6501e4270f0aeed2dbd
MD5 hash:
c2a67dbd20d36d8e3ff52c3a0b069da0
SHA1 hash:
68dceaedcdf425765066faed28185695136d2ad5
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
6eca37419f4209b59ccadee37b6a17ce9b12bfd56c80b69b0b21afd9f4cea992
MD5 hash:
85f0e6bcbe05727e6abe5aae4198398b
SHA1 hash:
582043b154c954de6dd5104734e00241e49db553
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
1c23a3cdaff84b1a9618c6a26ec9480d8faa824e72448960c7cef053e16dac45
MD5 hash:
e231750f80d9fd30c228d652a4659e64
SHA1 hash:
e15035f3ea2cbc3b023287f523631625189b248d
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
3a40276cd69d0e4019461561fd28e268c50bcadaf935e222bdefc9cc47f3ceaf
MD5 hash:
2929292b730d47f8643a046f81e74d44
SHA1 hash:
b46569ac405585cd797449d0e758227b287efc9a
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
a36c970654429e370b1bac52069d8e15b7ed9437862520780ee2252b8bc84de0
MD5 hash:
96171ecdf1bb98e74f1984d80765cb6c
SHA1 hash:
7f93020e99ea6014101ad78cda34f4868f888aea
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
8bddb2ca5b2986b3617a5d70c8cade98dd5be1bdc37249e415b0836c24883681
MD5 hash:
23ccdc85746fc56b921b416067849273
SHA1 hash:
5956658047f9f803d80ac2ba0b27eb79c0c8eb68
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
52c39c4a195e0e1d3d50587d7d3da6ded990ae5c0a7802345c0fa2e94b45e53b
MD5 hash:
47728aba098b3e8d00a0fc0aad5d2de9
SHA1 hash:
4b96aa803b7e0336b9e0d8014f7a6808c2df818a
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
bc741e8e3fa850665c9a10817099aa58c9c08d9b381eae61ef6a73e564ff05fd
MD5 hash:
33109497d8ac18afa85e96966f23da9c
SHA1 hash:
3678f4ee4956649a304d51d85c2ac43d2298731f
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
SH256 hash:
5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
MD5 hash:
4aec69a71dff9be27f998272b34a445d
SHA1 hash:
0c3372f7d0791de62621b25d098c9aa7728b8526
Link:
https://www.unpac.me/results/f140aa3c-fda2-4301-b198-8657a3b8bc57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2728026/
Cape
Cape
https://www.capesandbox.com/analysis/458128/

Comments


Avatar
zbet commented on 2023-11-05 19:16:10 UTC

url : hxxp://zang1.almashreaq.top/_errorpages/millianozx.exe