MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b
SHA3-384 hash:	f76b68e96fa8a0e9e6a001923f5acebb9c66ffb03f43a72e727e10b138bd0d658170b03095260e4184e50f80ee9711b2
SHA1 hash:	21f4ec67bafdb3fc23fd50b0ca53b99afe87c84d
MD5 hash:	818f5b36b251c2a72dfde9b6a3a44090
humanhash:	twenty-bakerloo-maine-michigan
File name:	SecuriteInfo.com.Variant.Tedy.224685.12212.21294
Download:	download sample
Signature	Formbook Create hunting rule
File size:	665'088 bytes
First seen:	2022-10-21 07:12:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:ChPzIcDieU4+eeeylNeEwcSspu84aKmwFWCBqiKe3D343TQ:CLBeemMEwcSiBGlBZKereTQ
TLSH	T13FE4122C97E98F67CEFD1779C066541003719212B453FB5F4E82B4FA5E63BC8840A7AA
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Tedy.224685.12212.21294

Verdict:

Suspicious activity

Analysis date:

2022-10-21 07:17:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/10cbbfe3-0f27-4d45-911b-928498d5da5c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/322206/

Detection(s):

SecuriteInfo.com.Variant.Tedy.224685.12212.21294.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6352467efdf6478a15afaecd/reports/bad5dcc4-fe9f-42a8-ab65-7235c12604c0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e85a2dd-d304-4fee-b7e3-55f997377890

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1094681

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-10-21 13:53:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lhfqgxn2nzrzrq7n6t6fn63o6qesuyzg3c33kpn5grqlsrlo7efq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:vo84 rat spyware stealer trojan

Link:

https://tria.ge/reports/221021-h13crahaam/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/68a6b8d7-979b-44f8-a43b-18bfbdc2b7f8

Unpacked files

SH256 hash:

c7449648d74edcbfb5c730f4be3c8ba5249bcf89b3de43d7825e688809599bb4

MD5 hash:

6f26fd733aba9c2b4e3a78ab2f8a1656

SHA1 hash:

45dcc917eebeee4053cc7c329d4ce19fb34a1395

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

Parent samples :

73de38a06d84d51fd173c71af2ef473703a3cfe94792a4e3bc383c528b7b3192
90afcb6b9e301d7081737182f7f3e3bff751ba972d161d8da5c24db1d0d36dc0
92954dc78f56ef75d0121624516e7556131aa6950094007398dd61194e1b8198
7f57baf941771509bb5f2b09a099e2b5a302c8892d5bdb65adcf47a8d4ecc64f
59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b

SH256 hash:

c8421fb7bb57f52ef68322038f7babeabe1f31106940cea923d05645bbff80ed

MD5 hash:

f17a9dae7796ebde3e13d1c93bb13b2e

SHA1 hash:

c3538f1ca8fde241e3895bb36cfbd2b91b694e88

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

SH256 hash:

1432b72532ee720d226ee509d5b785e8ebb2bc899db02626cc30c809afafb07f

MD5 hash:

6d5f61fe7cbf85cdf25a70b1dddaecdd

SHA1 hash:

92e355c28d4bcf772fb0265046e5562afe72a30c

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

SH256 hash:

3404d125cd7c5fbe6552cab00755814fb9fc9faab82e96b261697a945a1aaeaf

MD5 hash:

f0cb9b9dd8154a15b1db74289c3a3b53

SHA1 hash:

8577acd4f289278423a0cbd660d916b41da89319

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

SH256 hash:

678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5

MD5 hash:

2da433d67db4775d8f02a8fed4b31bf3

SHA1 hash:

235fe8f2076f3b5cfffacc574825550cee8e61e9

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

SH256 hash:

59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b

MD5 hash:

818f5b36b251c2a72dfde9b6a3a44090

SHA1 hash:

21f4ec67bafdb3fc23fd50b0ca53b99afe87c84d

Link:

https://www.unpac.me/results/56acdd09-21a5-4ca6-a4bf-37113163bd28/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/59cb035dba6e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59cb035dba6e6398c3edf4fc56fb6ef4092a6326d8b7b53dbd3460b9456ef90b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/322206/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample