MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5e2e2b3309ec8c4305d437cd8d545841e15679f664c62f8c1be1fe8733d5d292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 14
| SHA256 hash: | 5e2e2b3309ec8c4305d437cd8d545841e15679f664c62f8c1be1fe8733d5d292 |
|---|---|
| SHA3-384 hash: | eb6fc22cb1cfcd3bc58c58e89413cf65ad01b776bfc94c0977884d89bd69db6970fd482b101d7daa7bc6149ed71f90c0 |
| SHA1 hash: | f9c9bc31e4398b098a9991b5be3f36831af5d342 |
| MD5 hash: | e08c10da55cc7fe43dedca46ed3c3b38 |
| humanhash: | fanta-venus-echo-charlie |
| File name: | SecuriteInfo.com.Trojan.PackedNET.2558.31695.3364 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 667'136 bytes |
| First seen: | 2024-01-09 04:16:46 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:iKGoR7Xx9gr5xW90EcepLmi/ScIFb5AK5tPYmoTBrKfFu:iPoJxedE0E5Ll/q1xHCBr |
| Threatray | 552 similar samples on MalwareBazaar |
| TLSH | T15FE4231A3BBC6B63F4765BBC49E2260213B255133BF0EA5D2CC481DD506AF1427E929F |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| dhash icon | 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
463
Origin country :
FRVendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
http://prime.topendpower.top/_errorpages/ugopoundzx.exe
Verdict:
Malicious activity
Analysis date:
2024-01-09 05:31:51 UTC
Tags:
loader formbook xloader stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
masquerade packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2024-01-09 03:49:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
agenttesla
Similar samples:
+ 542 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f76c9df2a22e18f908b6a18310a614fe4cb12455de424f35ecac01cface5adf6
MD5 hash:
4895d68232c7db725b79ea225219e6eb
SHA1 hash:
a3d4ed70783079142d6941e36c4e5ec4b4af8e28
SH256 hash:
3363dcb868cc0208ec0549958076ad8569a1c19de4409ffbac91d7f92f082359
MD5 hash:
69209005d5bff76f7133bdfa9840aded
SHA1 hash:
5c210164a3cffab96cb8dbcc00acc1f79f48b7dd
SH256 hash:
294a3cf3a98e7f9fd8718276a0fb174d2fb0d956f889c94ef27b45c5a41ce1eb
MD5 hash:
4624a0f1e8b5cb6a2aa7c5d5e08a1231
SHA1 hash:
a415cb0b4e475e30dea1d552d515374c49b032a2
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
SH256 hash:
ddb60842c12bcfea9d9ab73bdc6cd6f3a5e10c24e92f79f9e2664d544facbae1
MD5 hash:
a8491dd27f8623a08f3914677297190e
SHA1 hash:
0b91be776b418ccf49a2cc6980a05753a880f5c1
SH256 hash:
5e2e2b3309ec8c4305d437cd8d545841e15679f664c62f8c1be1fe8733d5d292
MD5 hash:
e08c10da55cc7fe43dedca46ed3c3b38
SHA1 hash:
f9c9bc31e4398b098a9991b5be3f36831af5d342
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Formbook |
|---|---|
| Author: | kevoreilly |
| Description: | Formbook Payload |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Windows_Trojan_Formbook |
|---|---|
| Author: | @malgamy12 |
| Rule name: | Windows_Trojan_Formbook_1112e116 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_formbook_w0 |
|---|---|
| Author: | @malgamy12 |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.