MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776
SHA3-384 hash:	3e74b55fe46d0b2a7448a4569a593d2ceb795605ca5d1918585a66d2c652c9124dd2867c198f94688da3895481aa2587
SHA1 hash:	4a2f37757fd14ad8e4617b22ca5c417c81179d32
MD5 hash:	dc7242b83e03e116c8246dbff2df443d
humanhash:	nebraska-carpet-tango-golf
File name:	SecuriteInfo.com.W32.AIDetectNet.01.30176.8835
Download:	download sample
Signature	Formbook Create hunting rule
File size:	771'072 bytes
First seen:	2022-07-18 15:45:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:IfuNzB0WSNCeWazT7tYjVdPApAwD3fg7gD+G/lxHW66Gh8hDt8jdupvb2gb3IU3C:muNl0Bs9azTBYRVAp/DPg7PMWMh8pt8r
TLSH	T1C1F401403AA95B0AEA7E43FD5435058157B1FB1A2621E39D8DD5B0DF2A31BC4CE84F2B
TrID	54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/291628/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.30176.8835.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit packed

Link:

https://www.filescan.io/uploads/62d580790e298a94f3da421f/reports/853e53ce-8ebe-46fc-b5f0-d308b4f48600/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e2fae19-32cf-4f85-b25e-6065832145ae

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1035947

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776/

Threat name:

ByteCode-MSIL.Spyware.Negastea

Status:

Malicious

First seen:

2022-07-18 15:23:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3se653ghypgwll6ovnzt7zadfsem7jkysin6jzrnhi6yaqtk53a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/220718-s7lzfshgej/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Xloader payload

Xloader

Unpacked files

SH256 hash:

1cd66b408a071c6a0809981704b0a1f0a3edff8c76fce9b23459f8f0024adf74

MD5 hash:

80be3980a166c89c4ee328498685713a

SHA1 hash:

09f91859794601838f32922f0b418ff70acdba78

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

Parent samples :

c21fb3b78e63dc303da89cce5458e70d8e991529c0c15d3170b079182af7e529
32e1ca421ebb3d724b26bbeca54ff377e6396358226cfeda960142f7d9a7bfbe
ea02c085fc4e149d308e42db8016b695d8751ab9a681a7091402fe9b8c877cb1
08b878fd0b50fe201a07c27a3769d2461dcd2d2f2e80154cea90f3734438db00
66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776

SH256 hash:

4eeedca20f4407180d5b7b94360d5f16b9568fa9a2d60d97b1052e55bb70cf32

MD5 hash:

2a30a3df28ffd4a85e1a14f346ba204f

SHA1 hash:

e33f87d36f957e227f65dfe8eb7bc3d402180dd2

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

SH256 hash:

532682b52f57e3b69b852799faac6d115125a1a0eb3c78ba7c56c1f5c818411d

MD5 hash:

54e34edb1479f2a1efb20651a9d4907b

SHA1 hash:

7996421f781d8e13ed3389c511e90591ee1e96d7

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

SH256 hash:

0e7cbc3575f3e0813aadf615fb373b03422bd9d6ac3b97dc3326adad4214b941

MD5 hash:

894bb4b7e2827e35c194cd14309d57fa

SHA1 hash:

736fb1fbf155a49b5abec571cfed9ee1efd40675

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

SH256 hash:

d485a146ba8b1e5b15bae15f682ff489c55c203f4b00c105010d61edeadce7b7

MD5 hash:

88742cbe7fc23e32a156c50c15cd072c

SHA1 hash:

1cfbb622a2c7ec0d45dec97c5e1a1386da1bb378

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

SH256 hash:

66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776

MD5 hash:

dc7242b83e03e116c8246dbff2df443d

SHA1 hash:

4a2f37757fd14ad8e4617b22ca5c417c81179d32

Link:

https://www.unpac.me/results/452778a4-da27-457e-99d5-27c5b569f875/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66e44f77663e1e6b2d7e755b99ff201964467d2ac490df273169d1ec02135776

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/291628/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample