MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac
SHA3-384 hash: 25183646774f6e503b78c0e18b7d4b34e21b074c94cc4611715ffe4875b99cd4a6e59b6c0e89466b3e253892d1730065
SHA1 hash: 19cdb164b288f7eeb0573085dd0618181c7ba19c
MD5 hash: 563e92482225cccdf613e99a5e9c5878
humanhash: arkansas-bulldog-video-india
File name:SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642
Download: download sample
Signature Formbook
Create hunting rule
File size:870'400 bytes
First seen:2022-10-12 04:03:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:dp/HG5izZHPnmxRhsonwF4ZwPSS2v77j1I1N7Zd:nZHPmvhsk2D875I1N7
Threatray 18'943 similar samples on MalwareBazaar
TLSH T1F3056ABA12924516E8153175C8C7D2F32AFBAD607061D1C7AAD76F2FBC450BFA213386
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319151/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63463cb584a686684c9a7906/reports/3179b029-a772-4fc1-85d4-dbcea3a8b2fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e083ea6-f48f-452b-91a5-7a95c94cc8ed
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1088508
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 04:04:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlja6xhisuhjswyhg25txl7nwnhtw7mv6gilhifblewybd3jpswa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fc9bef4467f94362f4860fa9f501640b8a0964154fe5f2d8200f3d67b825b79
Formbook
360ef3cdbe11529374631dfc266ed59c1d5d55f6609b8c0903634e9fefac5c96
Formbook
3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781
Formbook
714e4e1608cc5486e6ebbb112c3dda90ce2398d346539ef636adb31d5268ee58
Formbook
7a61c229cc9d8607242df81167562e499ea2dd36624744bc871d535222367dc3
Formbook
959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c
Formbook
b49c593f78359176f5ac6fea2897de702c51d6e7838ae735cd326d68d99b5aed
Formbook
d14d54e9068268b8b42b66b6bce13f374f4ea151e6af9389513a5afbbf152a23
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
+ 18'933 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mmtr rat spyware stealer trojan
Link:
https://tria.ge/reports/221012-emxzbscda8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a92425a3-ec15-417f-b0f4-e85781a019a0
Unpacked files
SH256 hash:
eac54c85f58d2bbbf8d59cc9b2d8fa6017b0bf5dd7e9605585e683d1809c28e1
MD5 hash:
61eb86219a13d7dc292102ac64c1b97b
SHA1 hash:
ea919b13d54bd9b200ae67f572590ea527dea430
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
Parent samples :
959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c
62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac
SH256 hash:
52e41a14e7d257070a423b0ae6aea49b19a1cea70da9894ea9356ed15f8a9748
MD5 hash:
168d1005b0e3f605ab22d3c1744cb4e7
SHA1 hash:
8cb107aad543f4046f001b15e9c68cefea39efb9
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
SH256 hash:
10424f296e58fab6be5c442753dfe8aae8239028e1c668d931c4ca8a6f7ea8be
MD5 hash:
2098e06bdb2e0fa7f8144dd1ef4478ad
SHA1 hash:
ba776f3e912db370e473263c79fe6ef038c7028a
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
SH256 hash:
8aef5708462ade4ec675852fab385319552060dcc508346e458ec7f9d4534df8
MD5 hash:
44418bfb5756e1670132b5bb0c03bd6a
SHA1 hash:
6f46aa99641b0cc825aae254adc9ba33bdc0f45a
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
SH256 hash:
62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac
MD5 hash:
563e92482225cccdf613e99a5e9c5878
SHA1 hash:
19cdb164b288f7eeb0573085dd0618181c7ba19c
Link:
https://www.unpac.me/results/299c49bc-3a44-48b6-be2d-54a3ff4e4196/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62d20f5ce895/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319151/

Comments