MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d
SHA3-384 hash:	23ec2642ac0c5706acb7bcd7d6f4d55dd9284a1dfd7310173f2a4ed33eb89966c31b89a64e51f85e9f1b12de943814f7
SHA1 hash:	7471529969c0d4b150ed51097dc7e1616d515b6f
MD5 hash:	f1d8d4495381bfb74174825b02cf7134
humanhash:	montana-early-seven-utah
File name:	SecuriteInfo.com.Win32.Malware-gen.27426.24479
Download:	download sample
Signature	Formbook Create hunting rule
File size:	859'648 bytes
First seen:	2023-12-04 20:34:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:lXk+pJwtGBryED3snkKiQA1hzWeExQYHsI:lDJGGVcxi919WJ
Threatray	118 similar samples on MalwareBazaar
TLSH	T1D405D01961F96F19E43B67F48294010007F77B95A237E34D6EC9A0CB6E35B020E5BB6B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462451/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.27426.24479.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/656e3825da3178d99cd75917/reports/67bec5fe-058f-454b-976f-fde4cd40fb8b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/91c71200-daa0-44b1-ae42-3f92128cad90

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1353511

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-04 20:36:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mkyevqjsze5qw52fbxuvy45kmv4q2nfvijzipaahpflkyvuo5boq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c

Formbook

62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d

Formbook

7f44887a14271366d29b2bacb0f4857755b9024fbba358a11ab4472a498b3da5

Formbook

aa6cd6162fb3dcd29b8b8d404c59e5cc6ea032f967af8aeb155e556ab872fc1e

Formbook

b5aae370f7b29f63c9dd24562d16b7a77bda593fbe4d2f316046cdb444e343f6

Formbook

d76f0bd5be27187672f2b89be93eba20033cadb397398143bfe6f81d8ef4d9dd

Formbook

dc7e71bcaab267806ba177fe20ca6362dddd73b424c956c3fd13fd36a201f449

Formbook

+ 108 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231204-zc1bxsfd2x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

9931088ba27158c711a22b5b451da8d1cdbf91babc692e3d7c802a11d2ea51d4

MD5 hash:

42116f0f3f70a7e40106636cb6d4e90e

SHA1 hash:

6ab0d596034ed962011ab149c0a5bcb67806f348

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

SH256 hash:

9df134e72f7dc982b54ae299bb78bda7baa959a30fa3962437b0fc87198ed96d

MD5 hash:

208d15d52d0b1e112e87c5885a2caaae

SHA1 hash:

46db27e1c9c0f6755883979778b7a7b34ba531b5

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

SH256 hash:

436359801cbfef0a42b25bdf0572a44e2db6fc91f053ee274599019a69017c69

MD5 hash:

eb709aa85cecd29307b128e82a309d33

SHA1 hash:

cf6e66dd71feba9b752e155c91b342e11b06a39f

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

SH256 hash:

a41ac40d0a8dd9296583fe6d2cab50f90bf2268e5e28b4687ca2af55a8be91e4

MD5 hash:

bf1994c96124235cfa2f7714578ac1b2

SHA1 hash:

c788c8cc947b4e92d59cc0d28437b1f9bf3a6246

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

SH256 hash:

2340d070fc92470913072bab9087c4ed5675a0e8d4c61145553a8aad52a16994

MD5 hash:

0cf35c9e685b649b084dc5d385aaa62b

SHA1 hash:

06ab63a9a595c6ef82206c7388ff6aee4b1adb51

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

SH256 hash:

62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d

MD5 hash:

f1d8d4495381bfb74174825b02cf7134

SHA1 hash:

7471529969c0d4b150ed51097dc7e1616d515b6f

Link:

https://www.unpac.me/results/9a4f8058-b346-4fcb-8898-db6be551db59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62b04ac132c93b0b77450de95c73aa65790d34b542728780077956ac568ee85d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/462451/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample