MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1
SHA3-384 hash:	f5c9e169e2e344654bad4023c4ba54cfafd7c65be18466fabfb232824786ba5532adb1c14b43344a89703f689ed4de34
SHA1 hash:	5c5a6c28f7778f144078c156bb7139923fc8185e
MD5 hash:	e1def58ae94bc89d5bcf50dde9d9c79e
humanhash:	blossom-kansas-muppet-glucose
File name:	PO84100036.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	2'091'008 bytes
First seen:	2023-05-01 00:12:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:rdtprgYPd4ZMr6OyVLTodGrAAeZpREEDOwEjs8H9AdXM6fVWWdzwWDOUdgOxwr:0fwhfMWDOQ
Threatray	2'779 similar samples on MalwareBazaar
TLSH	T102A5BC33D59E180EE133BA36A6E5721F5A5DFEE2071FA5D604412B4B5533E80CF88E26
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	8879f098cae060f2 (15 x AgentTesla, 7 x Formbook, 4 x a310Logger)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

241

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

PO84100036.exe

Verdict:

Malicious activity

Analysis date:

2023-05-01 00:13:53 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/6b707248-db90-4bae-bfa4-ca66863332fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/385764/

Detection(s):

Win.Dropper.LokiBot-9916750-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lokibot obfuscated packed strictor

Link:

https://www.filescan.io/uploads/644f0412463eacbc57db22b8/reports/5b4ed2cc-ba46-48bc-955c-e9103fcc4d35/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0133f00-6a6b-41ba-9814-804dc4b80a01

Result

Threat name:

DarkTortilla, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1223845

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DarkTortilla Crypter

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-04-28 02:27:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=le4t4rhqrgf764zsgpnlgqr4bjucywbyq3mhrf7t5yme7ufmwpiq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3b13397c20abd804bfd731c28f9949f2cbfcc08cdc28ec34457729d0a645dbb2

Formbook

43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4

Formbook

597979053a51f37ffa0cbeb1847f707b2dd3b3cdbcc5c0a5e66a1f15b5419b8e

Formbook

7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

Formbook

a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495

Formbook

a96ec414b99747cf8859a77e2d05ea24053db3fa343474a007180dfefda658ca

Formbook

ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

Formbook

aee5d1b7326545ff692b98743e04d035e01415300fea8a5bf445d3490d6776cc

Formbook

edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2

Formbook

+ 2'769 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:wm23 rat spyware stealer trojan

Link:

https://tria.ge/reports/230501-ahrjjaec4z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

dab9e93a41a3ba7c82318ad6e089ca19e4e98c3c000aa5cae3d8353620b9d163

MD5 hash:

8a07b1201027f64e7ee27fa045160eb6

SHA1 hash:

b969ba87ddc0c7c88f986e07b800cdc251e87bb1

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/07fb4f01-40ff-4edc-8369-385dda85e52a/

Parent samples :

59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1
dee9f9c3981971bad83e2d8e0735f699a74dfb1be01da7a7bf8b7dd584a731dc
ba666b362fbf39a28389eacd17bbe764cf1ea11428f381bb2c874e2dbbe5586d
7dc1242cf01a3a2527ab8a7e03c370f556e3d62f4ad2567aa383000bb3448517
813edf2d24ed87e7182a05b6c7ae8acaee063fe5ff270b82d20ed00030caacb6
3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0

SH256 hash:

1cf929a43f087d6fb9cbfdced5b368ce7436e3c8cdacb9c34a3aea5a6893c35e

MD5 hash:

b8ec056c97756691579be4d5b60dc908

SHA1 hash:

e865e4de5238a9db9ce0a3b5a367916dbfa05987

Link:

https://www.unpac.me/results/07fb4f01-40ff-4edc-8369-385dda85e52a/

SH256 hash:

56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee

MD5 hash:

50f28d178452b2db4e1f466904e55c78

SHA1 hash:

d9a3246a570715d756a6c653b6818afb99ae39ec

Link:

https://www.unpac.me/results/07fb4f01-40ff-4edc-8369-385dda85e52a/

SH256 hash:

0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be

MD5 hash:

2c064163cda2f093cf6d20302481dff7

SHA1 hash:

cf948b10d999c369ef51972f86278a4f536d400d

Link:

https://www.unpac.me/results/07fb4f01-40ff-4edc-8369-385dda85e52a/

SH256 hash:

59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1

MD5 hash:

e1def58ae94bc89d5bcf50dde9d9c79e

SHA1 hash:

5c5a6c28f7778f144078c156bb7139923fc8185e

Link:

https://www.unpac.me/results/07fb4f01-40ff-4edc-8369-385dda85e52a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/59393e44f089/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59393e44f0898bff733233dab3423c0a682c583886d87897f3ee184fd0acb3d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/385764/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample