MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401
SHA3-384 hash: d08408f4fb25ccd370d38f9ddd32b40af2ad2079f67707cf4ec952ce60526e0c62c3472e69e2fcd2a02b22a5b48d7224
SHA1 hash: a729ca51498f138cdf34f16ecc55003419005e36
MD5 hash: 34ba287fe6f4d3485c12e981d1e8df82
humanhash: cardinal-blossom-tennis-pizza
File name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.10350.31223
Download: download sample
Signature Formbook
Create hunting rule
File size:697'344 bytes
First seen:2025-02-13 03:35:13 UTC
Last seen:2025-02-13 04:24:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:W6HH/DneK/3D2jjMLbLxNT4LIOIzpDNdHEaFvMKwkx2ZpYhK:WgHzeBML3bT4Laz5NxvFvAlZSQ
Threatray 4'527 similar samples on MalwareBazaar
TLSH T1D7E4E0C83B26F706DE655A30C935DDB592A81EACB1007AE25FDD3B4BB9EC101990CF49
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 7474f4b470c4ecc0 (6 x Formbook, 4 x AgentTesla, 3 x VIPKeylogger)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
494
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.10350.31223
Verdict:
Suspicious activity
Analysis date:
2025-02-13 03:40:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d3c7d65-c5b4-4c1c-9686-074fd16327ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.20.26241.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ad687e4f5583c4c4d89c47
Tags:
micro shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ad687b1195447a80c3be93/reports/2a150500-1094-4064-b610-30cf449deb58/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba584727-ac9c-46e3-9c42-45cb5f2ad9f1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1613981
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1613981 Sample: SecuriteInfo.com.TrojanLoad... Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 73 www.uyukgorus.click 2->73 75 www.log99facebest.shop 2->75 77 4 other IPs or domains 2->77 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 8 other signatures 2->87 11 STPpQuBkqd.exe 5 2->11         started        14 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.10350.31223.exe 7 2->14         started        17 explorer.exe 2->17         started        signatures3 process4 file5 101 Antivirus detection for dropped file 11->101 103 Multi AV Scanner detection for dropped file 11->103 105 Tries to detect virtualization through RDTSC time measurements 11->105 107 Switches to a custom stack to bypass stack traces 11->107 19 STPpQuBkqd.exe 11->19         started        22 schtasks.exe 1 11->22         started        65 C:\Users\user\AppData\...\STPpQuBkqd.exe, PE32 14->65 dropped 67 C:\Users\...\STPpQuBkqd.exe:Zone.Identifier, ASCII 14->67 dropped 69 C:\Users\user\AppData\Local\...\tmp80C9.tmp, XML 14->69 dropped 71 SecuriteInfo.com.T...10350.31223.exe.log, ASCII 14->71 dropped 109 Uses schtasks.exe or at.exe to add and modify task schedules 14->109 111 Adds a directory exclusion to Windows Defender 14->111 113 Injects a PE file into a foreign processes 14->113 24 powershell.exe 23 14->24         started        26 powershell.exe 23 14->26         started        28 schtasks.exe 1 14->28         started        32 3 other processes 14->32 115 System process connects to network (likely due to code injection or exploit) 17->115 117 Query firmware table information (likely to detect VMs) 17->117 30 WerFault.exe 17->30         started        signatures6 process7 signatures8 89 Modifies the context of a thread in another process (thread injection) 19->89 91 Maps a DLL or memory area into another process 19->91 93 Sample uses process hollowing technique 19->93 97 2 other signatures 19->97 34 explorer.exe 1 19->34 injected 36 conhost.exe 22->36         started        95 Loading BitLocker PowerShell Module 24->95 38 WmiPrvSE.exe 24->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        process9 process10 46 control.exe 34->46         started        49 WerFault.exe 34->49         started        signatures11 119 Modifies the context of a thread in another process (thread injection) 46->119 121 Maps a DLL or memory area into another process 46->121 123 Tries to detect virtualization through RDTSC time measurements 46->123 125 Switches to a custom stack to bypass stack traces 46->125 51 explorer.exe 46->51         started        55 explorer.exe 46->55         started        57 cmd.exe 46->57         started        process12 dnsIp13 79 a-0003.a-msedge.net 204.79.197.203, 443, 49990, 49992 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->79 99 Query firmware table information (likely to detect VMs) 51->99 59 WerFault.exe 51->59         started        61 WerFault.exe 55->61         started        63 conhost.exe 57->63         started        signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401/
Threat name:
ByteCode-MSIL.Trojan.SnakeStealer
Create hunting rule
Status:
Malicious
First seen:
2025-02-13 03:36:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7d63qnjjdtzeu5y7iidv6xdgxijoroszxscialv6qr2fx426qaq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
7d39dde72383a557950523dfc9e5a64718323fcebf5d41aba286763c9ae7b39e
Formbook
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
Formbook
c6b1ba9ffe05a03d88f24ae7fe9c3543976d9c392862d4c2ca6ca2d53c4befd6
Formbook
cc7cc38e5d7bc6d4f12623ff831c3611d73d905d78b62a173907b947d53242c1
Formbook
e35ac55cbd3d5f8449f8c2ba5521211f2ef4b1d00de6267d6f99cc83689fa8d5
Formbook
error
Formbook
+ 4'517 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oi08 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250213-d5hrpasrfv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/12b7810e-7af6-4eea-a2b3-c1f2968244ca
Unpacked files
SH256 hash:
5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401
MD5 hash:
34ba287fe6f4d3485c12e981d1e8df82
SHA1 hash:
a729ca51498f138cdf34f16ecc55003419005e36
Link:
https://www.unpac.me/results/01dbf7b8-d315-4dd3-960b-22c05688ea5b/
SH256 hash:
e712bcd56fe64742c0f674f3acff83490f8103c260ea3389f56151b5066b7cd3
MD5 hash:
7bad4197d1ae020c9049a782eb9a71d2
SHA1 hash:
e1253047ea92beb7d161b106765ad8b03bc86b1e
Link:
https://www.unpac.me/results/01dbf7b8-d315-4dd3-960b-22c05688ea5b/
SH256 hash:
95e17b223dde5e40fe5c48223c3eaea51a8e139c777124851673b082b915c6fe
MD5 hash:
b40203ce37cd4eee21439712da6f5fcd
SHA1 hash:
e542a404d98d09b0736487f2e996f98abbb80ad0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/01dbf7b8-d315-4dd3-960b-22c05688ea5b/
SH256 hash:
8ba7f8cd3c51dfd75f34fc9dae329943f16b88d4719efc05bf0101aff8f4b940
MD5 hash:
38f0d2fb6b6041fbe7d59431b14e2569
SHA1 hash:
fadbaf51a1711728663a724ff3ea48d7e0b06b70
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/01dbf7b8-d315-4dd3-960b-22c05688ea5b/
Parent samples :
5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401
a1e04def7fd209402cfc002db03fb18c9d8694d6707b4201cbaec8ce3303ff53
055fc07fef20e60123cd7d9760cffff1cfceac4a752a91b810bb708da88b4316
8e000211c865431b51b1e3733e0bc6d7efcfb8a3d45631cb10f0d7813b0b2e59
9b7fee62771dd489a06bd73844e56c4335034872b8d0286cc456ca6077b0e149
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fc7edc1a948/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fc7edc1a948e79253b8fa103afae335d09745d2cde4240175f423a2df9af401

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments