MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404
SHA3-384 hash: 5959ad97cbb2de602852e29f749cf9f3d95d50fd5d0b6b71c3a59671b727827a77a6c4fd4d16b97449754a82fe31f076
SHA1 hash: efe38e543b7a96068ebcdbb2bda0a8c9156e2860
MD5 hash: ab6e82bdc18b130df1e33cfe0e27e736
humanhash: alaska-uranus-william-lamp
File name:PO #Wst0509022_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:278'448 bytes
First seen:2022-09-08 13:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:3kTZdiZmhryoh61TphiqEMdJJu62I5wcub5Mc:3kTZY2yP1doiPu6f5+Mc
Threatray 132 similar samples on MalwareBazaar
TLSH T10B44D089B640B88FC457C872D8D95C28ABA5BD764727C203B09772ADC91C7E7DE060F6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO #Wst0509022_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-09-08 13:52:57 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/776fd713-a5aa-41eb-9d8e-e089afe9b89c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308793/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Launching the process to change network settings
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6319f3a5d06d9bc4c7ac43d9/reports/6d3c1dee-128e-4c16-8cab-defee4855ec6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a1fb073-db2d-49c4-87f8-897801029c80
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067164
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699697 Sample: PO #Wst0509022_pdf.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 31 www.skintegrityskinspa.com 2->31 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 4 other signatures 2->43 9 PO #Wst0509022_pdf.exe 1 2->9         started        signatures3 process4 file5 23 C:\Users\user\...\PO #Wst0509022_pdf.exe.log, ASCII 9->23 dropped 53 Writes to foreign memory regions 9->53 55 Allocates memory in foreign processes 9->55 57 Injects a PE file into a foreign processes 9->57 13 cvtres.exe 9->13         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.symbolsdecoded.com 91.195.240.94, 49725, 49726, 49727 SEDO-ASDE Germany 16->25 27 www.standahomintric.com 154.83.12.17, 49730, 49731, 49737 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 16->27 29 4 other IPs or domains 16->29 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Uses ipconfig to lookup or modify the Windows network settings 16->35 20 ipconfig.exe 13 16->20         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 20->45 47 Tries to harvest and steal browser information (history, passwords, etc) 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 09:11:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mi6gyiiikjmrgjqz4qzo5smjv4iggxqo52cjqjdcys3eue47uqca._file
Verdict:
malicious
Similar samples:
1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443
Formbook
5706d730a58d4d29d100059bb955e681dde3060f26f17b2d2ee4eb9d9f0f9ee1
Formbook
57eb07bbd93ef06938180786e64bf2f42bcb3be8525c6217a8713096a078ada5
Formbook
66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4
Formbook
84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0
Formbook
cfcd7de22c049bdefa98959de3072b2bfc12e280193d43e4749a84e48ba665b6
Formbook
db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb
Formbook
e9e93ee1b8ac56b5e18d639d1d1f5863684b18fdf5b9c5dcc7f542794c8d530b
Formbook
f52fea9d74e4b0fea689f2f770e12826c8587eddb3111434cdcde14c4d24a4f1
Formbook
f6445e9f6025358ce2d8b93f36f22e0142c5b3ba025c63177c3739e17c1ec6df
Formbook
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220908-q5tkeabhbm/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
b824cc6b87b6374da77d15434032e4d79c1e3a824d47f57d2915dcbaba3dc550
MD5 hash:
7a15a149f263f4e1608f9da62497d2db
SHA1 hash:
49f4c369ec305c6af9798241efb0f6460f28e925
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/795fc1fb-a69f-4693-a6e0-445b71499b78/
Parent samples :
c5aaaf40148a7d8bd30681af759e7e922c491404610c1691d3ce7d1c1b849bcd
623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404
SH256 hash:
937ef93cce819c1832ebe7ae8d525a2eae8680b4023a1e3e557334321c601ca3
MD5 hash:
8f19986e5131150d1b68e0cd8f35c5a2
SHA1 hash:
2328f96fa34cb712386785cfbec65412ce9a444f
Link:
https://www.unpac.me/results/795fc1fb-a69f-4693-a6e0-445b71499b78/
SH256 hash:
fafa48d9d67d6345a75d033d57821782034c13e1ca9c554ae8cdda90f78537dc
MD5 hash:
1e32a213b18ab6bb042e1b213e0bcf51
SHA1 hash:
934129a0134a5dededc977ff37bfcd4d42a2781b
Link:
https://www.unpac.me/results/795fc1fb-a69f-4693-a6e0-445b71499b78/
SH256 hash:
623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404
MD5 hash:
ab6e82bdc18b130df1e33cfe0e27e736
SHA1 hash:
efe38e543b7a96068ebcdbb2bda0a8c9156e2860
Link:
https://www.unpac.me/results/795fc1fb-a69f-4693-a6e0-445b71499b78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/623c6c210852/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 623c6c21085259132619e432eec989af10635e0eee84982462c4b64a139fa404

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308793/

Comments