MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5
SHA3-384 hash: add5dcf785a56e4291b4407c7550eab4c904d292b05512b1bcef86b29e14798767468de5fcdd0651687dd4729db76667
SHA1 hash: 0e94b5abce549607936bf39d84fd9f00d0ee6073
MD5 hash: be8b7df68aa44557c26350c6bd2cd86a
humanhash: india-east-hotel-hot
File name:be8b7df68aa44557c26350c6bd2cd86a.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:584'704 bytes
First seen:2023-04-14 06:58:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:gvLq8BFuf/m4Hezd5h+Mnq4n0BTrn5Iu3uVELLsdHoFJpP:mbBsHez9ETrn5I4uVE/EIFJ5
Threatray 2'533 similar samples on MalwareBazaar
TLSH T19EC41253726E8721E2AE2BFF682B450053732547B172EBED5C9C50CB2AB5B206750F87
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be8b7df68aa44557c26350c6bd2cd86a.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 07:04:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24632433-5948-4b06-a2c4-a36d8c0691d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382210/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438f9bc59a1287810bc1db8/reports/2ac4ea42-6179-4f9c-8d5a-a498f77c649a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18eb283b-ef5a-48d0-a176-a844a4e309ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1213716
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 06:55:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2dccl2r4ykrpxpdzr6qynvxhi4sqfwxhyml2fgyhm3uxtyx5t2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af
Formbook
17483ba2526d9ba490c29dc88e5c1a066b0c26f22243e02d312542a53f292393
Formbook
3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
Formbook
4a5ee921941ba55cd069a52fc95732b78f4c430a28236c3bd752ac350e4ffa79
Formbook
5267caaadc1e9d045e08de329de614b3b85f615aeec1a5927c32cfe82d493d2c
Formbook
80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667
Formbook
9dea7f3e39bd54422856d3a625d94e844ac4f37ddf0ef15163a92f6aafb5c803
Formbook
d744371010d5b494046c105db860eacdacd4b639408c7543407ab426f5bf4808
Formbook
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
Formbook
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
Formbook
+ 2'523 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-hr4jfsac3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
21088178df12c1d2316c47966ab05942fa3d5e058bce6b0050dacf4368ca0fa3
MD5 hash:
d449b0934d0c02cc2775c4d8885d0d5b
SHA1 hash:
3c398435da57ed236ad49f0dc40483d0586c929b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
Parent samples :
17483ba2526d9ba490c29dc88e5c1a066b0c26f22243e02d312542a53f292393
5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5
8a2b49852ded17c14a5909ca022342ad063470dfd23a2dc51fdea29c29c4e314
SH256 hash:
ec9d32796d750096f3f8af36ca603ba0a8841c5c1e7e3c1a7aacec67ea238a70
MD5 hash:
1944ddab32aaee8b60b05883a1be7497
SHA1 hash:
6a4692dcc8d60a8db475184904eef93804c4037a
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
SH256 hash:
4568538b9f1ceddefe214ede03a4b469ecedec4d47ee734bc9bc293d218d2d5f
MD5 hash:
a7fba78498003d0739920f528959e8ed
SHA1 hash:
9bd45d9ca34fde5d194d9c6de003897a42bd879a
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
SH256 hash:
744362b3cce0521437a2dafe6b037971e439ef75d39d7c629dea57e6c40108bd
MD5 hash:
999432c29530c8014d17e3b71df258ba
SHA1 hash:
068463b39c859beb7d5f9e96e94d3ccb2f896788
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
SH256 hash:
5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5
MD5 hash:
be8b7df68aa44557c26350c6bd2cd86a
SHA1 hash:
0e94b5abce549607936bf39d84fd9f00d0ee6073
Link:
https://www.unpac.me/results/4b3761e4-e36f-45a0-bada-39f13ef33d87/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e86212f51e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2346138/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382210/

Comments