MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments 1

SHA256 hash:	5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856
SHA3-384 hash:	39331afa311531e77800d7f5a28719ccba8d37112a8d3bd26a74ba94639b082e47aea3eda73dba51ee6d8169c73230de
SHA1 hash:	f0f73f5822e622d2aaac95ccff91c59c50825967
MD5 hash:	2d3553c4c34f26ce90e95ed61d5f5068
humanhash:	arkansas-echo-delaware-oxygen
File name:	2d3553c4c34f26ce90e95ed61d5f5068
Download:	download sample
Signature	Formbook Create hunting rule
File size:	881'664 bytes
First seen:	2022-05-19 06:30:24 UTC
Last seen:	2022-05-19 07:42:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:sL1KugTQFHqQafmi9q2FR+HC4Syvu8PgtFl2ffosXcHUcR/wqozliKNzQNlVL:JTYH0f42rnwu8+F0HosXc0Av
Threatray	15'540 similar samples on MalwareBazaar
TLSH	T15515BE5D3690F99FC5178E36D8641C70A660BC67870BE347A0573A9CAD3E79ACE102B3
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2d3553c4c34f26ce90e95ed61d5f5068

Verdict:

Malicious activity

Analysis date:

2022-05-19 07:27:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a2e39d3e-9cb7-4518-b051-06981f036ae2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/272369/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.32105.7510.1125.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed redline wacatac

Link:

https://www.filescan.io/uploads/6285e435ff102f271238803f/reports/4d5a145e-49ea-4bd7-b95d-8bb135c34ffd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e90b61ad-7c45-4f3f-b38f-5e1839f0c490

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/997416

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-18 23:22:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

3f38d14b57be8821c36b5a3b35fee281a0371fb2b41cbecb2f788c29a34f05ef

Formbook

6eef88d9b2ada286ff5f0ee740bd12a593a6111f2e29e0b86cc43dc437701edf

Formbook

84483ed46317d2ba114e3b5f49c4a54a8801bf648b73578135372dedd3f8a9ca

Formbook

c483fdd57cf8e05985e6e09ae3c74a7b53cccff68ddccd0cfea136591ec5c306

Formbook

cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34

Formbook

e16a6b4f8f40398226babe7697203cb3cafcba921ef1328eef4ee46714f0f2a7

Formbook

+ 15'530 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:grh2 loader rat

Link:

https://tria.ge/reports/220519-g92bdaeggm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Unpacked files

SH256 hash:

050ea7736fa73134fe7642b14c03e6bc0d19017a7ed51d49dd3eff845887aadc

MD5 hash:

81aeda3c6efd4624ff8118cd38805bb5

SHA1 hash:

10f584c33e09341449d9a5127a3fb5b6af45cd14

Link:

https://www.unpac.me/results/e516dbf7-4f08-4e33-a53e-8250cc2db631/

SH256 hash:

09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd

MD5 hash:

1521132bd568891debf24b4973aaa24e

SHA1 hash:

393fafe43a177d02d2a8be164101fc2add2748dc

Link:

https://www.unpac.me/results/e516dbf7-4f08-4e33-a53e-8250cc2db631/

SH256 hash:

09fc3bcb4fe7cf8dd1dfda0d39fbc76c4985a45c01c939c914e0f0cddccda171

MD5 hash:

f9786824ddecfab33761d788c8185528

SHA1 hash:

77dec7e02882e211dd932e726cd358508facfac2

Link:

https://www.unpac.me/results/e516dbf7-4f08-4e33-a53e-8250cc2db631/

SH256 hash:

d93de1d68aae3847824b11eb8f996956067512db44e61a581cd40073bc36651a

MD5 hash:

a55519b95450a731d3b006a37c05aba9

SHA1 hash:

f264b5cbdbe28d5928a6694a69ea225160004b4c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/e516dbf7-4f08-4e33-a53e-8250cc2db631/

Parent samples :

e16a6b4f8f40398226babe7697203cb3cafcba921ef1328eef4ee46714f0f2a7
5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856
4fac64123dd9801541374d8d3bb647ed3f4378890841a7002ea48f3b14ea3872
482beb0818b4fb36d99de34bd14974c236009b5dea1b8a3fad616da83044d025
c578a70b3fe2f788f59898f782658c68b0d7e2ebe1ac30de156b1e65c270c061
38d9e46ffe8d5d1405ac99da1a744e591bc93232a51a89add6d10c00d0957710
680bdc790b1b414cf9717c6ec89bc84597d1d6afb9c3fbcbbfc57114395488b5
15445c010256a178c467773e86678ecdc33bc8519e4edb3703a1b3b17622f805
af8607577b52a1404c4055a4f4541627491af2758839b4261ec8d263f383e583

SH256 hash:

5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856

MD5 hash:

2d3553c4c34f26ce90e95ed61d5f5068

SHA1 hash:

f0f73f5822e622d2aaac95ccff91c59c50825967

Link:

https://www.unpac.me/results/e516dbf7-4f08-4e33-a53e-8250cc2db631/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/5e0b3793ea67f580aa658ab4629f7a4f4f9e307083c4ac4b6604a959d204b856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.