MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
SHA3-384 hash: ea24245a30b2736a3040b05d3e368bff6a83f6717d09f19be0dc7e1af49f64827589c4ddb6d7296082174d63795f23b2
SHA1 hash: d75d609b6091503364d6e85d6cb2cd9074b2300b
MD5 hash: 86da219a34c8fe3e4551889d462fefb0
humanhash: zebra-bakerloo-pasta-avocado
File name:24Hdkz2sGxG1Xq0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:801'792 bytes
First seen:2023-05-10 12:06:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xBZfTit9gO5lDl5Olk4xUHW6Iuro9ejTJDHrB0KapGyCmyp3Q090B:xTLGH5Ai4xUHUurYejhLBCpJCmSQ
Threatray 2'782 similar samples on MalwareBazaar
TLSH T1A305E121721AAB2BC76853FB0628854503F87756FD6BD27D2EDF20CDDD12B104A22E67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 30b2c4c8c8c4b030 (53 x Formbook, 41 x RemcosRAT, 20 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
24Hdkz2sGxG1Xq0.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 12:10:23 UTC
Tags:
stealer formbook trojan
Link:
https://app.any.run/tasks/3966cd57-2d15-416d-a129-a9c55032582c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388163/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.743.5766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b88e68399e8849cbcc17e/reports/ac2954ca-9697-41ed-9884-228958f29b65/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4534781e-4d02-4c3b-98a9-bf4d75f1211d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229993
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862975 Sample: 24Hdkz2sGxG1Xq0.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 6 other signatures 2->41 8 24Hdkz2sGxG1Xq0.exe 3 2->8         started        process3 file4 23 C:\Users\user\...\24Hdkz2sGxG1Xq0.exe.log, ASCII 8->23 dropped 51 Injects a PE file into a foreign processes 8->51 12 24Hdkz2sGxG1Xq0.exe 8->12         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 12->53 55 Maps a DLL or memory area into another process 12->55 57 Sample uses process hollowing technique 12->57 59 Queues an APC in another process (thread injection) 12->59 15 explorer.exe 1 1 12->15 injected process8 dnsIp9 27 www.berlinhealthweek.com 130.185.109.77, 49692, 80 XIRRADE Germany 15->27 29 www.jhg61.com 150.129.40.9, 49699, 49700, 49701 TELECOM-HKHongKongTelecomGlobalDataCentreHK Hong Kong 15->29 31 8 other IPs or domains 15->31 33 System process connects to network (likely due to code injection or exploit) 15->33 19 wscript.exe 13 15->19         started        signatures10 process11 dnsIp12 25 www.jhg61.com 19->25 43 System process connects to network (likely due to code injection or exploit) 19->43 45 Tries to steal Mail credentials (via file / registry access) 19->45 47 Tries to harvest and steal browser information (history, passwords, etc) 19->47 49 3 other signatures 19->49 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15/
Threat name:
ByteCode-MSIL.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 09:58:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljdl2zn7kbt3fe4w35zau73hvoz2o47ot75bswdsik76w324jukq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
030026bf6983702ec4865754d69d48af120bf0dea165ef7ef22428422412fff4
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
Formbook
70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a
Formbook
891145e24408acfe405ee35239c2fbea9d5b4b2855055e3d466e01ad2cb4fd68
Formbook
8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3
Formbook
9d53f6d13b02326eca5357286c0852c653dd17f8459eb30dd0086fe2ef2f9049
Formbook
abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e
Formbook
d549aca33462425f1f32e75b6635986df724a63b6f738247d4be19de580bc899
Formbook
f3aa635a38f6737c7250e72a15aa596ca55d1cf31398bdcb7c5c6254cadbabf2
Formbook
+ 2'772 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230510-paay5shf5w/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
e5dbdc01986d7a1a5febe880e0ae60c299de29fd8e1c87d38d961b0851cee236
MD5 hash:
dfa855f0b9535007843b04475c93eb8d
SHA1 hash:
0c13eae96b9684902b3e30f52b59152ec80e0941
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
Parent samples :
d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8
fe7399693ffec861fff386b07855b2137ae3eb8784723a7816f78122c4c22c80
f3aa635a38f6737c7250e72a15aa596ca55d1cf31398bdcb7c5c6254cadbabf2
891145e24408acfe405ee35239c2fbea9d5b4b2855055e3d466e01ad2cb4fd68
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
4c2d0702d2d40c1da4266fcebbd7eb4b7ad82f896fa6498e435faaf90e677f20
04e338b306c1f8ae3c2025bfa779a5926f0432270792db5acb944e486c7893a5
4690616c9b7b3d211237ffb3c8d981027e6a9894ab5a27f584828b67585a9886
984d0d606afc5cd507cd73f111c4de3043a19f6815db65cf2bd70bd6257d2713
cfc12adfab410acd8090691e1b66fb468e033c5c5a5de350016b3cf133be27a8
b060f747e4aa941b42d475cf40290b6211911e1e949d8a2df0705660cd014996
SH256 hash:
90eca4b22b8fc2bdff42ed891a191fbf278b9ac8b3763bf31993395aa9c53cef
MD5 hash:
b4dfaced2d96fc64b5c7e6069770c170
SHA1 hash:
45cc7ca3d357bee2d48761165a0596a29baa346a
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
SH256 hash:
c72ca892abebd8794a9544913d071c3c91356f5075509717727e180e87cb98ba
MD5 hash:
25383385b11436b817ed4dc0419f4e24
SHA1 hash:
9441f35f45a30503ebb2c717209f29341b5b48b6
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
SH256 hash:
dfd096bbbb4479cc31a14dc9b13f3c5ed253f2b6f4f6b3cac6af31eb3b78cb60
MD5 hash:
23c5cf1656761de3cc749c762f9d5d77
SHA1 hash:
8fb49316fbdcef56d750e9c8c560108d366cc833
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
SH256 hash:
f699e528014e366f07e7c5b17dad983ab0dfbd1edf53318d59db4104a0892b58
MD5 hash:
0240afe0c1dbf44ec425eee529ae251a
SHA1 hash:
3e93dbda2139394e2163c81ffdf934db47830d63
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
SH256 hash:
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
MD5 hash:
86da219a34c8fe3e4551889d462fefb0
SHA1 hash:
d75d609b6091503364d6e85d6cb2cd9074b2300b
Link:
https://www.unpac.me/results/7ef15860-92e7-4d0c-b428-7f0d9f0dedc0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a46bd65bf50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388163/

Comments