MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
SHA3-384 hash: b40ab5c0e3b3926db89c1eb860ab9fc990a194f8c194b6fa0db060555be26bde09658a1bb2cf40c0c0b1255cbd19e072
SHA1 hash: eec4d79e07fad3c8ff24106e5f27320c787005ce
MD5 hash: 6aef3dd880a7e860da908afe693a5acb
humanhash: venus-don-double-lemon
File name:PO 138659.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:637'440 bytes
First seen:2023-11-30 07:29:44 UTC
Last seen:2023-11-30 09:32:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mqfLYYZXTy/AuK0uihoAzChyocAcz6aJNRPKLjn5KRI4RumqOad/s4zmx:9XTqAuKmPehyoc9V52o+4RuZXdv6
TLSH T1A3D423241F424A36C3725ABA4436942813F9BB226905F5AC4DDFB3D54C32BA5B743B37
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 186c6c6c98e866d2 (10 x AgentTesla, 8 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 138659.exe
Verdict:
Suspicious activity
Analysis date:
2023-11-30 07:49:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9fc2c1da-0bc1-468f-a533-fee23c0c9103

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461345/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9254a40-a62b-4923-845b-3256639c09b4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350399
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1350399 Sample: PO_138659.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 100 60 www.chinchap.xyz 2->60 62 zeit-fuer-sie.org 2->62 64 10 other IPs or domains 2->64 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 82 9 other signatures 2->82 10 PO_138659.exe 7 2->10         started        14 tFZVmAVfRvj.exe 5 2->14         started        signatures3 80 Performs DNS queries to domains with low reputation 60->80 process4 file5 56 C:\Users\user\AppData\...\tFZVmAVfRvj.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\...\tmp7CBD.tmp, XML 10->58 dropped 86 Uses schtasks.exe or at.exe to add and modify task schedules 10->86 88 Adds a directory exclusion to Windows Defender 10->88 90 Injects a PE file into a foreign processes 10->90 16 PO_138659.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        29 2 other processes 10->29 92 Antivirus detection for dropped file 14->92 94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 23 tFZVmAVfRvj.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 tFZVmAVfRvj.exe 14->27         started        31 2 other processes 14->31 signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 16->72 33 limKjqTehwewCLqpNxcHNKKP.exe 16->33 injected 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 limKjqTehwewCLqpNxcHNKKP.exe 23->39 injected 42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        process9 signatures10 46 dllhost.exe 33->46         started        84 Maps a DLL or memory area into another process 39->84 49 dllhost.exe 39->49         started        process11 signatures12 98 Tries to steal Mail credentials (via file / registry access) 46->98 100 Tries to harvest and steal browser information (history, passwords, etc) 46->100 102 Writes to foreign memory regions 46->102 104 3 other signatures 46->104 51 limKjqTehwewCLqpNxcHNKKP.exe 46->51 injected 54 firefox.exe 46->54         started        process13 dnsIp14 66 www.oostende.cloud 83.96.212.57, 49756, 49757, 49758 XL-ASNL Netherlands 51->66 68 zeit-fuer-sie.org 81.169.145.151, 49752, 49753, 49754 STRATOSTRATOAGDE Germany 51->68 70 6 other IPs or domains 51->70
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 06:15:26 UTC
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmr2ydmgzc7mf3kgmicxvvj2nvdx7qu5p6fqbjxbhsye6rg47e2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231130-jbt6hshb45/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
79717778ddc60781ba1ae13ccff5f8ff24e572bfb6d162305f9d5422c05fcf3b
MD5 hash:
a5367745a3e4e6195c4662448a6a6b01
SHA1 hash:
c4608da6f550ff9fd1a25032190a813dc0834175
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
Parent samples :
6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
SH256 hash:
000209c32bf936342e0515b079cd6bfca1e3167c783ecdf610122068f4789520
MD5 hash:
9e16eeb151047f61af89ee5dac814022
SHA1 hash:
c10638bc3b038cfc190106fe4e40a254073f09e7
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
40ce2a230132dddb25b12804e3e30f90e9f9a34bc27b83ddcfc311215f64464e
MD5 hash:
8cd12af557b562828d4eee8237005b6b
SHA1 hash:
1938d687e174ef08e0ee1b61ef605ed8eef98b58
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
e88a0ecd8a546b81993a01d5b181a76b677fd22489b221456dbce358202947e1
MD5 hash:
384cfbef6fbbdbead98fc4cca80b3366
SHA1 hash:
850cb66538638faaf0b02be400c68e6de7ec873c
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
f2b80a1c53aafe5d9e8d8a8327dc9933e8c3bf3100311eb4060db98bcf37f8e5
MD5 hash:
d46bec6435551570acee760ea527b291
SHA1 hash:
111a451e81ba3ad937af35bc77fd2a14159ac48b
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
ba60bd0770964f8a870e80ab6a6713d4f2281ada77409404b500728a37a2e46d
MD5 hash:
a6ffed753d5eaf7ce2281b13a0066aff
SHA1 hash:
f488ea9c6db691b37e15ca5b501c4fd1a327b8ea
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
f5795874dabd295276b757459b54e255204ebf2ffda66f8e3025d35f8f61c11b
MD5 hash:
ada2a10d5b5c45bd15d256cd3ee40486
SHA1 hash:
b95a267a5fc93d21ff2a12bcb41cac74dedc8ec2
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
8671bc1469031bca9255b637f8fcd96f185177cd768b1a804f86aaba88a5d1bf
MD5 hash:
08cb6478c0df426a163fcb30b651f8ec
SHA1 hash:
4dfbb76b13a8916e2b393624f0608940440d4458
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
ade35f9c3fa8294ca1a06b6dc40d542be7baa41a9c7c4d702e7eccd9dcc1fd81
MD5 hash:
18451bb9365b67b2d5dbf4c07e8f39a4
SHA1 hash:
2f82ec60d85eb7d6bbe304799a758551190a3aff
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
fc8cdf72cd800650898e32c33e1b065119702351da570d05f7ed1fe7e6810f28
MD5 hash:
877a919444af8264c70e679be54c89f9
SHA1 hash:
2efa3af3d68d33a16ab1fe9fc091e3c4e691728e
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
cacced6311cd54e72a00a5a0eec1f42c982da6bad68637dc2ed13dc6f3324390
MD5 hash:
111684ba9fed8422973d8b8b3ff83267
SHA1 hash:
1aa695c1832a79a4b1c52936e67f580805092370
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
SH256 hash:
5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
MD5 hash:
6aef3dd880a7e860da908afe693a5acb
SHA1 hash:
eec4d79e07fad3c8ff24106e5f27320c787005ce
Link:
https://www.unpac.me/results/939a72df-2e1f-40ec-aba5-75ce6f140fed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b23ac0d86c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/461345/

Comments