MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7
SHA3-384 hash: be9f18ce47796a5531bc01530e6482af55fb0b53b6b3d32a78a38cdcbb647fe87f76af85aab8a72d8b038cb8e25dd70e
SHA1 hash: 65caec424eba2e80a1544d86501b4d86322fc3dd
MD5 hash: da6e03c9a40eddb667fb577ef6d4335f
humanhash: december-foxtrot-hotel-quiet
File name:3306_202.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:699'392 bytes
First seen:2023-12-04 17:16:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:h2iNtIpl1OdUsf8a4qF7yxdCvpk8ipZhGOQJTtpxRFpf0yTn:h1pOsEa4qpMdwk8hJ5+y
TLSH T180E423D273A88B6AE2750BF51EE4AD0A07719A0098E8E62E5CF550DF6470BB1C373317
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462416/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/656e09b8bb9490c89cc91d1a/reports/22840279-4ab8-4d52-b9a0-7078d566cb78/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb98dba7-9460-4041-9fcc-6f599694ff8b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353363
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 22:21:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2fzuph4xqnbtlpdp2gsi33b3fok6cgoconwfafxpxvdo23cn3dq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231204-vtn8rsdd2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
41e245bf0dafde03a575b0d3d6581d5f0e59329047da738ddd88b5e19fe38e87
MD5 hash:
6be36044741307f6bd5dfe7f510a84e8
SHA1 hash:
e5c31ea1f7f5a17098a001af2804aea15405766b
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
Parent samples :
33d4f40d83493428f817717c92af34b335788346735a5563e7ee515993fa8d93
8a396b8151f475d72a31a9897353e57ee18cd5ec5a4cd82d29998940ff71b3a7
1b245652f8eb90239d220881931099461279d671ad3c9f386c1c93699a9d4fc5
5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7
482fe81656515bb2c9d01bb6d5d6497834fdc36758a069616a4c71a995c10aeb
c01f5a812c3ca378bc066a4fbd56d1ceda30f8b051eaaa4941b9af92956fc8e6
be5ea75b6b003e8d06764370ba6a89be22845dec6bcf25a6f2d50c2d478dd214
SH256 hash:
a0f01eaf0772e8a22deec7deaffe23c78790261a8e917005e7796e12f4b89b6d
MD5 hash:
2d194f56ed6fd1e15d977f873b63df83
SHA1 hash:
adf44b215e43477d8e70b942c528a83df3837c7b
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
bc99dcc182eaf17394c34611c1aef4ad45c3079ae116c19caa17620d64c39f7c
MD5 hash:
84fe0cc42b4f30e7b6f58c92f9ad3d56
SHA1 hash:
d753cc7cc8e2927f9cde57fb67b5bceebd2f5fd2
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
8566b242b0fcc8949a7d595b39114fc2c5b9cd6f782741bacf67ce4ae3350d6c
MD5 hash:
743fac8557f363e9bf11059b03416c10
SHA1 hash:
cd46441a96fc654efe9642368234bfac19e4d67c
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
0e8a5f6bd3e915b9d2fae9428730dc5017348d23b622bccbb1971e352052734b
MD5 hash:
56feb04fdc8b0453c62267ac204ed555
SHA1 hash:
7d41fb41cac90bea85cb6691a5945568115cbcbf
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
4f8675cc90003592925dcd82a15b3b9d51ec048c16646367e4bd9c02e0f63fb7
MD5 hash:
d84a517d112d155c4a57b33992f53d0b
SHA1 hash:
d72997d7594484733e157b9c4025bf4382137827
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
d5f1aefa146f3925c3887bc19cf74afdca908ea06204ec31f2c9b217d1c5e9e5
MD5 hash:
1d306765cb3db90c88da639d388e1010
SHA1 hash:
ab2faeaab8318c36849426e1b14f059934fd2ba1
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
96e988ca38ed6fb6579543c5003a9822628fee0a017666f28072421bd68a836d
MD5 hash:
62de6ff35bdd65c87bced153635f7496
SHA1 hash:
9d80b3a9c4497f16ad6967b582f2a9b9f1149ccd
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
e768b1b5b9003139850155a17aac9ff9d3fa45dc07330ca9c4a002ed168c52f5
MD5 hash:
1457524346e04463235ee83f27be5424
SHA1 hash:
7d55f7bcfc4d9a6090e12a16c288ee9369be874c
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
327bd66ed3bff7b83ca4165464a7214ed478d87560386825abf49ba937fd0a67
MD5 hash:
1974b29620d6e36ce9affd4424f754a8
SHA1 hash:
7b34cc1ed8624df5b815091edb24f6781d063c07
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
7f84498df5050bf62d0ef441ea2523f82cf484a078db80a62db81cc43105897f
MD5 hash:
99a35508dfae2382e97031a300b910df
SHA1 hash:
2b7fc21a2383a0c02da16d9b44e136ddb6e54bb6
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
SH256 hash:
5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7
MD5 hash:
da6e03c9a40eddb667fb577ef6d4335f
SHA1 hash:
65caec424eba2e80a1544d86501b4d86322fc3dd
Link:
https://www.unpac.me/results/8dcc8dbe-36c5-4d67-9f7a-3d3bbed039c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e8b9a3cfcbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso b472e0868ad8c08854f2272abd8d06fbfe068dd61803d6e3ea1866a46c14fe27

Formbook

Executable exe 5e8b9a3cfcbc1a19ade37e8d246f61d95caf08ce139b6280b77dea376b626ec7

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b472e0868ad8c08854f2272abd8d06fbfe068dd61803d6e3ea1866a46c14fe27
Cape
Cape
https://www.capesandbox.com/analysis/462416/
  
Dropped by
MD5 4119b551eb2ced660f01c5ce1643311c

Comments