MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776
SHA3-384 hash:	e7a3e1a5c75e142d5fda4bb1b3edaa6e15b764c4617aa9d705513ba4e469fd75a58c8da37b300db87d891e2a16e9f61c
SHA1 hash:	227c9c74d5ad5cbcfb1838ce4248e485518fb95e
MD5 hash:	870e59c51a8f4c9b4461dee1d15d1599
humanhash:	tennessee-leopard-bacon-salami
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.30020.14911
Download:	download sample
Signature	Formbook Create hunting rule
File size:	762'880 bytes
First seen:	2024-08-29 04:18:53 UTC
Last seen:	2024-08-29 11:12:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:6VVHv5UIyJsebh+x/TgxIZEEEBftetQCo0nhczvuwQmlQjc8Y1H4qAhGQ:MuTsebITgU5EBftaThczvs6p8KH4qq
TLSH	T178F423606164CF54EABF47F8B05945A50771B8DAF840F33E58CD55BD0AE2F201A336AB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

392

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.30020.14911

Verdict:

No threats detected

Analysis date:

2024-08-29 04:19:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/378ccf7c-8c91-4690-9647-251552ce23ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.30020.14911.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66cff6b9fe69a9e56049d0f5

Tags:

Heur

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f16869cb-7b25-4bb7-b836-a83d38cd10d3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1500930

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeyLogger

Status:

Malicious

First seen:

2024-08-29 04:19:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=me4zalryonkshbo7yeb74hnzxizwxphi2pnrqdf7wwedklafk53a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240829-exhmdsvfrq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e2d2c5ef-55ed-4729-9dd4-a40c8028ca51

Unpacked files

SH256 hash:

93ec307174d91b812952e4172fdcb943333791816d5ebbf4730b4ccb8e0d82b2

MD5 hash:

cb091c1e4419f6755c82e8261ecb1134

SHA1 hash:

dea4a31ef5346ebf2d52693e13f76e289f1da788

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d4ba3df9-20cc-44f1-b75a-d6e761a12003/

SH256 hash:

cb0da7e09ab8975e7407182194ff29f2986dea444d724a231e09c9e9dd7fd99c

MD5 hash:

104e6a02598b3cb01356802f12d6994c

SHA1 hash:

bb60c8ab67010a4147d7f43dbb1efb417bd4cef7

Link:

https://www.unpac.me/results/d4ba3df9-20cc-44f1-b75a-d6e761a12003/

SH256 hash:

c22b6e2cfed3d7e9e0bc312aedb34dd32d9b8049319032ddc7557c9756cf07f7

MD5 hash:

afafe33158d5f82d678539141bbd0455

SHA1 hash:

5746d7bc26825f9bbf73487ee0dd5324d9a19288

Link:

https://www.unpac.me/results/d4ba3df9-20cc-44f1-b75a-d6e761a12003/

SH256 hash:

0371f633031157d98c883966e6c94a336700f5b66239bf96af10b571d059cbc9

MD5 hash:

29242cc49aa936795ada426e892c76b0

SHA1 hash:

45cfd75860f19a8fbbd79180a75c06280c79e663

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/d4ba3df9-20cc-44f1-b75a-d6e761a12003/

Parent samples :

d3e597c7a7074ebbbf6def6c24c0b979de124435a2c9a01dcb9a36ee1c5864d8
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
f4cc2743d202249ab338480e5c4cf22f2662065d078da09c89af833dbd1c1717
60734325fb48873fcbe11315a91032bef2048981cd35cdd24c6502cb81b03d92
c3d4bf7b34654afd79490a7c3ba3b19f9ccb920e3fa7649c23a73c8269fe6744
6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776
a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b
c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

SH256 hash:

6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776

MD5 hash:

870e59c51a8f4c9b4461dee1d15d1599

SHA1 hash:

227c9c74d5ad5cbcfb1838ce4248e485518fb95e

Link:

https://www.unpac.me/results/d4ba3df9-20cc-44f1-b75a-d6e761a12003/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6139902e3873/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample