MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294
SHA3-384 hash: 8d5a8349488a8cbb97af9984ba4679d32ab075573e44c7509fdd1d61491618f756c815b802ab145d0590a62a05b13efe
SHA1 hash: 43c43d1025925785a23ec4b160dfd566135266ca
MD5 hash: 3a1133a31a67b64ec6165ac328098fdf
humanhash: freddie-winner-nebraska-music
File name:SyncTextReader.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'137'664 bytes
First seen:2024-09-05 02:47:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:bU1zwrxR4lWzWzm1ejk7ZDsLCoFCS4/d8:40R4lEWzm1e47MCogH/K
Threatray 4'564 similar samples on MalwareBazaar
TLSH T10135CF1036D89466F4B31FBD48BCA05061BDFE6B5B17C90D39B2674A13A374389E236E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter adm1n_usa32
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SyncTextReader.exe
Verdict:
Malicious activity
Analysis date:
2024-09-05 02:45:32 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/9ecffc2b-cb8d-4b13-bd25-00e387dbbeb2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.889-1.UNOFFICIAL
Create hunting rule

Win.Dropper.LokiBot-10026902-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d91be7f3d7ccf99f90041c
Tags:
Execution Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
Restart of the analyzed sample
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81bd6eaa-8017-4dfd-8e69-db6fe2163c74
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504611
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504611 Sample: SyncTextReader.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 51 www.getridofmyed.xyz 2->51 53 www.williamandholland.com 2->53 55 9 other IPs or domains 2->55 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 13 other signatures 2->87 11 SyncTextReader.exe 7 2->11         started        15 NyHwxWSaYDxx.exe 5 2->15         started        signatures3 85 Performs DNS queries to domains with low reputation 51->85 process4 file5 43 C:\Users\user\AppData\...43yHwxWSaYDxx.exe, PE32 11->43 dropped 45 C:\Users\...45yHwxWSaYDxx.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\AppData\Local\...\tmp2FAD.tmp, XML 11->47 dropped 49 C:\Users\user\...\SyncTextReader.exe.log, ASCII 11->49 dropped 91 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 11->93 95 Tries to detect virtualization through RDTSC time measurements 11->95 103 2 other signatures 11->103 17 SyncTextReader.exe 11->17         started        20 schtasks.exe 1 11->20         started        97 Antivirus detection for dropped file 15->97 99 Multi AV Scanner detection for dropped file 15->99 101 Machine Learning detection for dropped file 15->101 22 NyHwxWSaYDxx.exe 15->22         started        24 schtasks.exe 1 15->24         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 17->61 63 Maps a DLL or memory area into another process 17->63 65 Sample uses process hollowing technique 17->65 67 Queues an APC in another process (thread injection) 17->67 26 explorer.exe 62 1 17->26 injected 30 conhost.exe 20->30         started        69 Found direct / indirect Syscall (likely to bypass EDR) 22->69 32 conhost.exe 24->32         started        process9 dnsIp10 57 www.jzmbgjj.com 15.197.192.55, 49742, 80 TANDEMUS United States 26->57 59 www.levelup-edu.com 172.232.25.148, 49743, 80 AKAMAI-ASN1EU United States 26->59 89 System process connects to network (likely due to code injection or exploit) 26->89 34 help.exe 26->34         started        37 cmmon32.exe 26->37         started        signatures11 process12 signatures13 71 Modifies the context of a thread in another process (thread injection) 34->71 73 Maps a DLL or memory area into another process 34->73 75 Tries to detect virtualization through RDTSC time measurements 34->75 77 Switches to a custom stack to bypass stack traces 34->77 39 cmd.exe 1 34->39         started        process14 process15 41 conhost.exe 39->41         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-09-02 04:01:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6drt44bypn6iziiekl4ptqnflzjkrid643vslyzge5mdh442kka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4
Formbook
1ccd3e2580b4e0de27bfeae3a92d638230c573704c66a06a0e11018224d176a0
Formbook
33779a75da1af9c5f45112370d3dbd803e86fc7b88bc5a1f43a7b76fc9d887ab
Formbook
393f41d6aaa447a3fc89f83b3ffb08574464197bf45704ba8226cd070b63c6ed
Formbook
3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e
Formbook
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
Formbook
b878010c65295ac447edb5249825bc8ef4ba872b9a584b3dfbe4ad8f25634bfb
Formbook
c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a
Formbook
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
Formbook
+ 4'554 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:j7e discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/240905-dafnva1hlp/
Behaviour
Gathers network information
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/233ab0f3-12d5-43c7-8d10-536085ac0d64
Unpacked files
SH256 hash:
9d6d5dffa7147a3a298caafe1a24c7eae6ef1f73d04c29c7132d1a604c133504
MD5 hash:
e624758f75c2a66f562c45a8ee7317d0
SHA1 hash:
1399ecd3fe17bc295cd86405f6b4b9c6eb0bf282
Detections:
FormBook
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/fc657b86-9ff2-499e-8dd5-3dbace95ffb3/
Parent samples :
1b7b0ee9811587f5a4402008e994f9da8eecca2d61c2818c2747662b88697928
12fbb133afa686a29a8f474db034e61bb14b54146694a8993c61d28990cb634f
fffc665a528ef7890cc8ad27da9b1e1e9b5d813455875fdf591f5ddcaf86e490
9ae702c9e46c101c73bf7914b4862026d5faffba8fab559fa03e03d2015749e2
e1f620a49978341460d102aefd71b13a0f3d36aaf8dfa042844984ad6dcfaa7c
29559b48621146787d64cd953d655cd34f1b4a029c450d4364e2026e8a671982
5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/fc657b86-9ff2-499e-8dd5-3dbace95ffb3/
SH256 hash:
049c67578f34b549964c818f49755daf8449313ef505ae1aacd4cc1c27667e45
MD5 hash:
16ecdfed34e71096638c2e3e14bf3816
SHA1 hash:
07d65e0bae5bfa04c9d8d8da31a3ccae8014f8e5
Detections:
CyaxSharp_ReZer0
Create hunting rule
Link:
https://www.unpac.me/results/fc657b86-9ff2-499e-8dd5-3dbace95ffb3/
SH256 hash:
5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294
MD5 hash:
3a1133a31a67b64ec6165ac328098fdf
SHA1 hash:
43c43d1025925785a23ec4b160dfd566135266ca
Link:
https://www.unpac.me/results/fc657b86-9ff2-499e-8dd5-3dbace95ffb3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f8719f381c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f8719f381c3dbe465082297c7ce0d2af2954503f737592f19313ac19f9cd294

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments