MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7
SHA3-384 hash:	18ac1b19fa8acd352647d1cd07b9bdde624874c3b7c2d22ebc05a48c77ac89bd16cbefab500cb11fca1cdba74b043536
SHA1 hash:	3282161bbd6fd6a85c9bbd4ed3917d71d0e1d8d6
MD5 hash:	b6ff82cc413a0a31dfa1a4a028ac6e0f
humanhash:	moon-delaware-bravo-cardinal
File name:	Enquiry spread Sheet 0924.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	711'680 bytes
First seen:	2024-09-09 10:50:05 UTC
Last seen:	2024-09-19 12:28:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:YaQUPvPQ2yBNguVMg71L8xyJARQW0ikHNFOoesWJoBG9i72l:DoTBNXGg71AIAa3NcowJookE
TLSH	T162E412383229E915D96607B44532D3B257397E9DE220C30A4EEFBCF7741AB70AA14793
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Enquiry spread Sheet 0924.exe

Verdict:

No threats detected

Analysis date:

2024-09-09 10:52:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e283547b-a4ee-4963-a04c-2cb1f219befa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.28.7438.4352.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ded318ee4e815578171508

Tags:

Generic Static Swotter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66ded31bc97eb38a1fe3ab4a/reports/8d93ae89-b121-4ed4-8b26-a1d846c65c20/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5164b788-8c9e-4b36-8676-a87363d42956

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1507839

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2024-09-09 06:10:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l42jmgup7i5tuuftbgdxfa7ajwyqzdm22twu3rgycabj4evkdplq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240909-mxtnnatfjl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d09432f8-66a5-466f-8753-1ccf52fb11cd

Unpacked files

SH256 hash:

bff286f985c22b56c9a653ac87df8f5c45051c63aee3f995ea0f937ae2faa22c

MD5 hash:

9b7abd2ff2fdcf612068ac28b7a2cd3d

SHA1 hash:

bb98e052dee85287d71fc2bf8c6314b7a4fff096

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/c6564b32-b289-41e1-a779-d07a55b44489/

Parent samples :

2c8b43fd65a13e27fd960fc1d5995c9e0dc63d4c80803fde0e4505de86a3186a
5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7
b246a081a4c5a68590f53f2e7564a770df3d2aa16272f49ee2ad2d2b8a6d1005
f4bd1f9dec0127be05780b194dba31eda1a4882ec5df8e46c93aa6b58a5f337e
df3c78262e1d216441fe9888920c87ee92fd963b4b3823e3e99b208b8b5b6101
7a54497b3213ca0a232b8483c0f23046b9d51a6c9816f768ec30094a72c47a9a
aba7d28fae8686990a87616f3a8b688865bfaa9bfaa0b85a3001c49ed5f3cd43

SH256 hash:

769e0bf3e997bbb7d70322fc3dea9d8f167847b9262a35246dcbf9e1169b45b6

MD5 hash:

59a95cbe93818b6b7172c2e17234416e

SHA1 hash:

7c44bacb857916b1b2307d822fcf3f92a3902fc7

Link:

https://www.unpac.me/results/c6564b32-b289-41e1-a779-d07a55b44489/

SH256 hash:

03f7327c41a39fe66bef4303a2eb54e694797d266d88a6aae14f12bd8fedbf0f

MD5 hash:

637129eaef64e4c9666754342a1d27ba

SHA1 hash:

5caca7356ac1939fd1ba08dfcfa3d839a509cc6a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c6564b32-b289-41e1-a779-d07a55b44489/

SH256 hash:

c59a72e874640d2d2c5669edc14fdeb82a72cbacde61679907d2926b8ed79d08

MD5 hash:

b37fc99b846edbde0d0f36bee1760849

SHA1 hash:

0016396b048dcbda5b87742c32678f706db6362c

Link:

https://www.unpac.me/results/c6564b32-b289-41e1-a779-d07a55b44489/

SH256 hash:

5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7

MD5 hash:

b6ff82cc413a0a31dfa1a4a028ac6e0f

SHA1 hash:

3282161bbd6fd6a85c9bbd4ed3917d71d0e1d8d6

Link:

https://www.unpac.me/results/c6564b32-b289-41e1-a779-d07a55b44489/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5f34961a8ffa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 5f34961a8ffa3b3a50b309877283e04db10c8d9ad4ed4dc4d810029e12aa1bd7

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample