MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc
SHA3-384 hash: c2c02d4c35ea8383c9a49f83e533bdb376a4b46d573b1f78cc0fbc1cc3ad2f714d7a279249e0a35bcc078914ff9b4bdc
SHA1 hash: b630b77eebf3f34933c136a1fe1fae361070a503
MD5 hash: 7fb394034358619f6d6ff6a3e89b4208
humanhash: harry-avocado-montana-mexico
File name:SecuriteInfo.com.Win32.PWSX-gen.10818.20967
Download: download sample
Signature Formbook
Create hunting rule
File size:864'768 bytes
First seen:2023-07-21 06:32:34 UTC
Last seen:2023-07-21 09:39:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:l3gXmmMrsGY1Tl/KAs3JbOLigR3Ka5xTfweOcIWL2kfbxUX:5ymmMrv2TgdxC3TtOcIG2YS
Threatray 3'470 similar samples on MalwareBazaar
TLSH T17605D014B2B80B32D57E6FF6109456480BF57157B17FD22D8ED260EE5AA8F700E82B1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.10818.20967
Verdict:
No threats detected
Analysis date:
2023-07-21 06:36:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/07cae728-646d-4b4b-8900-7a5f96e563d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427325/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10818.20967.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30206813-3931-4a58-bc74-d8661c70f7e2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1277235
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 05:00:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfymu2nvven67gvege5rolq6dswzuh7c4tyesbjdcx52l6p4fhga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03728e854a392ef693c6c2dbb39d240883db16cc580da2e95b9ca15197fb7d67
Formbook
53776bf7c5fa91e2914a9ff83a3625d28cd72749d80b2a68a53794bcd3839e50
Formbook
74e0e44962853defab1a9e26b38a812fac44b61910ea18102c3e7b227ee03ebb
Formbook
827555c608d1e12973d7c28d45b4ca8d5342d1dc77b12a5d403a32d83e591fb8
Formbook
8a88d8c71eeff5031c0be922bad9639753a904fbf78536c0f8ac0619ae69d1b4
Formbook
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06
Formbook
ba4e482497b5d2ac9d86cb9cc8bae37dc76d2720ed8eb7dc363a74e8d60711d6
Formbook
c26acaed8f3af9114db0aef3c6446531f65209789b4c423d18e4d40312bb633d
Formbook
ebee69a6ec18f54b490457eb4cbc49e9394f1d2128044c1545ea6eb92b515dab
Formbook
ebf830b54a27c0e76363ae7c9fb6e40a7f28c70da7f4d10d05bcf8e27766b56e
Formbook
+ 3'460 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-ha6x9acd23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
27de1ba0ca30a5aec97b4c1c67b00b5d424ecc02e612a82a0ab7efe0c7cf230f
MD5 hash:
4d7933473269c946410f1bcc863f6fb0
SHA1 hash:
b4284f753eb4cc764c8c878e725aaab6fb3f59bc
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
Parent samples :
4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6
4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc
SH256 hash:
00dc3a719e25b75930baf2d69e109229a752562b84e2e73db7823f373a0deb51
MD5 hash:
a9df754c8f8ea27fe333e0eb5aafcb05
SHA1 hash:
270fa47e4ccc1f430c2addb8f66cf6e1b65d7442
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
SH256 hash:
6ff864730c250a71af3ba8dc84258aa798caad168d84e5be3df447a952362c79
MD5 hash:
87efc7410abedecaa3bcd8f08be62123
SHA1 hash:
c03eb83ff924cab5bca4b68be66c2adb15ec7083
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
SH256 hash:
eb9659fe647ed73c38a6ed5cf811392aa36230b6ff91a8588d1b5ab557757eb0
MD5 hash:
0364f8100802aade2ab6f4027e7e7c2c
SHA1 hash:
17830b30799b545cf25f676a407608ca4be4c17c
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
SH256 hash:
6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc
MD5 hash:
7fb394034358619f6d6ff6a3e89b4208
SHA1 hash:
b630b77eebf3f34933c136a1fe1fae361070a503
Link:
https://www.unpac.me/results/a26f6c76-d916-435f-9618-7db35c0d5e42/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6170ca69b5a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427325/

Comments