MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
SHA3-384 hash: db7a3fc7e53b657a15bdce367c1fe91848aa0cdbe5bc497fb4c53dd3346d53b3c2d1f46accd32216713676ed22c335c3
SHA1 hash: c7e71d3e1704e5f54db2cf20e0f9e6491a83f849
MD5 hash: dcc0b51454246558ae791b23e7c432ba
humanhash: avocado-avocado-xray-coffee
File name:C65v45yjPwh3N8G.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:868'864 bytes
First seen:2023-11-09 11:11:59 UTC
Last seen:2023-11-13 08:35:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0VpBKPEDh+cRbSLFDEjf/4et0hpbK6Jn+UlvEUNZpYmI5q78xbwQd:glbSLFDqf/Ahp/nFsUBYxM78FwQd
Threatray 31 similar samples on MalwareBazaar
TLSH T10705AD232E797B66C93A43F34554414C43B66E5D3CFEE21B4D8EB0DADAB5B400A42B17
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4c33d8d4d4d8324c (40 x AgentTesla, 23 x RedLineStealer, 15 x RemcosRAT)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
C65v45yjPwh3N8G.exe
Verdict:
Malicious activity
Analysis date:
2023-11-09 11:17:37 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/a3c9b6e3-91b0-4d0d-beb8-851068493a39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.6139.20895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654cbe9b946b6ab2245c81db/reports/8531791a-9a93-451e-97ce-ae1f7184269f/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f9422ef-4183-411d-8822-f783f29ec718
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339624
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1339624 Sample: C65v45yjPwh3N8G.exe Startdate: 09/11/2023 Architecture: WINDOWS Score: 100 56 www.lesfeespailletees.com 2->56 58 www.justdancenox.com 2->58 60 21 other IPs or domains 2->60 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 5 other signatures 2->76 10 C65v45yjPwh3N8G.exe 7 2->10         started        14 wSrdaZ.exe 5 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\Roaming\wSrdaZ.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\tmp8EEE.tmp, XML 10->54 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 90 Adds a directory exclusion to Windows Defender 10->90 92 Injects a PE file into a foreign processes 10->92 16 C65v45yjPwh3N8G.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        94 Multi AV Scanner detection for dropped file 14->94 23 wSrdaZ.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 wSrdaZ.exe 14->27         started        29 wSrdaZ.exe 14->29         started        signatures6 process7 signatures8 68 Maps a DLL or memory area into another process 16->68 31 xiFmulGlQpcCIlaPgCLX.exe 16->31 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 xiFmulGlQpcCIlaPgCLX.exe 23->37 injected 40 conhost.exe 25->40         started        process9 signatures10 42 sdiagnhost.exe 13 31->42         started        78 Maps a DLL or memory area into another process 37->78 45 sdiagnhost.exe 37->45         started        process11 signatures12 80 Tries to steal Mail credentials (via file / registry access) 42->80 82 Tries to harvest and steal browser information (history, passwords, etc) 42->82 84 Writes to foreign memory regions 42->84 86 3 other signatures 42->86 47 xiFmulGlQpcCIlaPgCLX.exe 42->47 injected 50 firefox.exe 42->50         started        process13 dnsIp14 62 www.lobbytoto.monster 91.195.240.123, 49743, 49744, 49745 SEDO-ASDE Germany 47->62 64 parkingpage.namecheap.com 91.195.240.19, 49727, 49728, 49729 SEDO-ASDE Germany 47->64 66 13 other IPs or domains 47->66
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 13:00:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mp3ae3is7cmipz3r434fdbtfgu6fkfmkhwn5c6x3tpm42pv7j6oq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3abc55d444c9f395cbfb42fdeded0fd6947de482fbb4fb40da2b328aad7bd194
Formbook
3f31bc1395db6dd4775cf328efe993ccd4f7623b66c3edcefe906e2599c42472
Formbook
612feeb54c4ec909565f21150e17e1f16ee3d584bad954ebdbc8ecda5b3f964f
Formbook
77579d66a9a588f82d409def94002c74fad7729abf83d63388ce897b66b50804
Formbook
806fcbc57ef1ed9cf02a322dabaa21439e715fc6bc6c689384cd67addf21bd76
Formbook
93e67c89acf315406deaec6ad48437458dcc4a26a00d528777fad25ff4e431fc
Formbook
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231109-natwksha4z/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
b6958cdd0da20148b3a34afd485529299bbe004399f25de580213bea649cb07f
MD5 hash:
545fe22b6aa9b3e40641586cddd14964
SHA1 hash:
12f63cae5f8735ecf74a88b08878b52567ab9f2e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
Parent samples :
63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
SH256 hash:
8cfaaf284732aa506853c0037763fa29540e2c493d3d25f3bf0bf12aa3b40c32
MD5 hash:
3007121926966ae3cda43ada91ab878f
SHA1 hash:
9c2f0498c9cfa865b8c5f005481036d27a940109
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
4581f34244fa5a671e297f7a400c997855469de894c6781128830b9811f3be79
MD5 hash:
716f71f9c8fe3c861caf4e6252bfa781
SHA1 hash:
f5412a3823dfd6b717cf5e92849744b21665d47a
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
bfef9eac82e53e8d63bcb3b3022880eaf8f22cbbc6c69f3782b59c438f649f12
MD5 hash:
ddf81912128dd196140e9be656c3a212
SHA1 hash:
51221baf7115f7f2de03cd00b8b25cfde9241a35
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
ac156470b8310cad60c792d829c3d85fa088ab41599126e97f1e6e3ba609a63e
MD5 hash:
d305041d60973781d1815334e8636072
SHA1 hash:
a92afae5901fd8f3f73dd83bec1dc18be247bef0
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
31267ccb72031427b0c3db78a27beb4e582a6e907f6751b01be383dbfe40f9c1
MD5 hash:
022e0bbe1baab0a8336954c6dc17be03
SHA1 hash:
a579a6faa04eb84e4d869b5e1a494f38fb37e3c4
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
1c7c7447da5840d5c1193d745387f35a999a46792b89d5ba1fae704e2ec92945
MD5 hash:
d28bb697f82b959d5f2476a8156fc0b3
SHA1 hash:
9bac66f2d6b57cf8b9018b5aedc79e1613796863
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
ab639ad1aff1a82e8319827534dd21ec2772e0710d2e91eb678fea8df85e4775
MD5 hash:
bf599f2255044f5f2fa9123dd47d263c
SHA1 hash:
836a0d98f1864014f697d56427daa90c2f205b23
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
6c72978fc347e7955adaffe902494d7529e551609c600b81a97cc76f36a48684
MD5 hash:
f709182b3ca0c41859849de2ace04148
SHA1 hash:
5d68ed2b37e67f340f13538cbfae0feeb2a70277
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
814e0e2813c5e3a3da1663ae7431d4ad07d62b137ecf03416263a9bbaf3d083d
MD5 hash:
70ddf3c31899686a2a8e79b8070d2334
SHA1 hash:
0216913138d4ac8d9246ea7b6b7443ec8429ecde
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
SH256 hash:
63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
MD5 hash:
dcc0b51454246558ae791b23e7c432ba
SHA1 hash:
c7e71d3e1704e5f54db2cf20e0f9e6491a83f849
Link:
https://www.unpac.me/results/fd7aae53-2309-46c9-8236-1e842f2d096b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments