MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
SHA3-384 hash: 51f8d8df3aca00252af9c0ec7aa5e3d83c8cbad98a82939e4e1174c5352723c2dfd8de1461cc070a9000b347db961bf3
SHA1 hash: c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086
MD5 hash: ad8256cb4be1b817a6df0726f8cdee0f
humanhash: fix-spring-don-lion
File name:PFI20-21008_.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:460'610 bytes
First seen:2023-01-10 08:57:32 UTC
Last seen:2023-01-10 17:17:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:SYa6VqwZutS+e5zeoD4P4uEhgVZx8Yr/V3qCSoC/LAIkmiFTo+mo:SY3tutXe5DD4PjogVP8sqC5CDqFEm
Threatray 17'954 similar samples on MalwareBazaar
TLSH T1C7A412057B80C023D69507715DFAD62EAE79ED083F560B07A78837AE7AFB391891D348
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a090486032592c16 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PFI20-21008_.exe
Verdict:
Malicious activity
Analysis date:
2023-01-10 08:59:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/fe7432a5-3f81-47c8-b89d-1ca0791891b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351436/
Detection(s):
Sanesecurity.Rogue.0hr.20230110-0534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63bd289d83a5ae8cb4a84b94/reports/7819d79c-478c-4ead-bf80-422f53f76b26/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09ab9073-642a-43d7-87cd-e087a1085b44
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148574
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 781306 Sample: PFI20-21008_.exe Startdate: 10/01/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 2 other signatures 2->39 9 PFI20-21008_.exe 19 2->9         started        process3 file4 25 C:\Users\user\AppData\Local\...\oslngvyxu.exe, PE32 9->25 dropped 12 oslngvyxu.exe 9->12         started        process5 signatures6 51 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->51 53 Maps a DLL or memory area into another process 12->53 55 Contains functionality to detect sleep reduction / modifications 12->55 15 oslngvyxu.exe 12->15         started        process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 27 allthekey.com 92.204.219.113, 49714, 49715, 49716 VELIANET-ASvelianetInternetdiensteGmbHDE Germany 18->27 29 www.oktbvector.ru 91.189.114.19, 49717, 49718, 49719 RU-CENTERRU Russian Federation 18->29 31 8 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 systray.exe 13 18->22         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 08:57:40 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxe7aul7ee3c2bn3y43bz4x2rgxbhez2y325dqqjf77vk6k4edzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
038e56890849d9c8e78dd5acf04c0ee59b9fdb4f26bbf175fbb0ee3ef01ae55c
Formbook
123e747239c973af2c8b7dc8a33b26fdc3cb05f2be8af864290f823daae7d764
Formbook
1451a0db83b9e0d83eac9a040a5058e9d4aeb54d484c5dae698c3ce0c002ffb0
Formbook
48c2d31acc0c9de4e78cf10a906fb274f9512bf32c221ed5d5272ba98e9f0b44
Formbook
492cabb55a2f649ce32194e8f9737a51f071b370bc9cd527aa8cd0b844ee7ea8
Formbook
88b0580ee00c3960e18e05607d37ad78b0b34dc17362d2e98dfe59eb7f3a0a02
Formbook
b394bd2bf5686012f76693ff9daddc941662d0c564e4ac4a530ea34b4b0d8cc6
Formbook
c33fd689aaab0c578d7569270d48b3c1fd9c9b28f45d81db6510326d0ddd0475
Formbook
ea5cc541f270957672194a8f4c941dc614c46082d7d0e5edd64567a510aa6b1b
Formbook
+ 17'944 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230110-kw6wgsbc2x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/881dcb13-a443-47f9-864b-019921ae0057
Unpacked files
SH256 hash:
7e12c0451c7c8b731aa8a35aee524abeee10706bcae4a0b4629c5f7390814b46
MD5 hash:
4f19ec9db71527fb68f66f542cfcb7a2
SHA1 hash:
1a946e52ed9e37259914bea16f68dc7b1b399b61
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/809b826b-f7b7-4f07-994e-dce517e02959/
Parent samples :
492cabb55a2f649ce32194e8f9737a51f071b370bc9cd527aa8cd0b844ee7ea8
65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
7f284920214e53f8231f59b0ca2a804e41fb74ee8fd81b9ca86e6c39eadec7d2
SH256 hash:
30b94332c59fb52e4ef32e2f55d0a55a356843ab88bf2efbb185ab9f58208cec
MD5 hash:
567eead37c112b5a8ba06e5caed24807
SHA1 hash:
6cd98f6b2e5de68f928d83983379851471ba304c
Link:
https://www.unpac.me/results/809b826b-f7b7-4f07-994e-dce517e02959/
SH256 hash:
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf
MD5 hash:
8b2553bfab2c74f153508617e6111f0a
SHA1 hash:
85a6b8674329fa5a77145f11854ec27b773b9a40
Link:
https://www.unpac.me/results/809b826b-f7b7-4f07-994e-dce517e02959/
SH256 hash:
65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
MD5 hash:
ad8256cb4be1b817a6df0726f8cdee0f
SHA1 hash:
c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086
Link:
https://www.unpac.me/results/809b826b-f7b7-4f07-994e-dce517e02959/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65c9f0517f21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073

Formbook

Executable exe 65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6711c995ac7969ff29da0b552321649f46e38726b01c18df401d8b0085120073
Cape
Cape
https://www.capesandbox.com/analysis/351436/
  
Dropped by
MD5 ef87a41d5da2a6aa33762326090efb71

Comments