MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
SHA3-384 hash: 8b361cfb93f1ea8840566d84cf3b10040f9b59256c77e92444662cdadceee6e266be0711f0c845468d775f2fccc75097
SHA1 hash: 30d688c3923e089ff08facbacbc0cd55499bbca8
MD5 hash: a8bd1b12d450b9f4513524f0eacb7359
humanhash: august-vermont-arizona-princess
File name:RFQ02212420.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:771'080 bytes
First seen:2024-05-02 06:08:34 UTC
Last seen:2024-05-02 06:26:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:T+DbgnB778QeyRP4az8lAU7Bg6CptS+DWByepN7R6soWWot21y1PknyjVn6cFc4H:6gnBlP4aYlAU9dC/SgMyszFWoQQ8nyj3
TLSH T18FF4015172EC9F62DABA5BF14034E9804BBA3CA26821F24D1DC5B8DF59B2F844750B1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70e8d4d6d6d4d4d4 (10 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec.exe
Verdict:
Suspicious activity
Analysis date:
2024-05-02 06:10:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b5e6209-c18a-4f78-98c3-7d09e57bd422

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin overlay packed
Link:
https://www.filescan.io/uploads/66332e00e5dfa30836f24fa7/reports/16639f11-7db8-461d-b203-e0cbe2d29d79/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8041af0-39e2-45cf-b25b-ba277f2ade76
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1435153
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435153 Sample: RFQ02212420.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 31 www.www60270.xyz 2->31 33 www.valentinaetommaso.it 2->33 35 21 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 9 other signatures 2->47 10 RFQ02212420.exe 3 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Injects a PE file into a foreign processes 10->57 13 RFQ02212420.exe 10->13         started        process6 signatures7 59 Maps a DLL or memory area into another process 13->59 16 owtAaPcGSc.exe 13->16 injected process8 dnsIp9 25 www.fairmarty.top 203.161.46.103, 49761, 49762, 49763 VNPT-AS-VNVNPTCorpVN Malaysia 16->25 27 aprovapapafox.com 162.240.81.18, 49765, 49766, 49767 UNIFIEDLAYER-AS-1US United States 16->27 29 8 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 replace.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 Maps a DLL or memory area into another process 20->55 23 firefox.exe 20->23         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 09:00:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m35j5di4wbag5yj6sra3mwypaqc5nsch3ropulrdenbnbwaidxwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader
Link:
https://tria.ge/reports/240502-gwfshsba4x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
PrivateLoader
Unpacked files
SH256 hash:
5a2e2086d5d8e5cdff76eee77768850a4c5d61de4ba421ddb0de99aa519b0ee1
MD5 hash:
ca0a9b4e0d418b2f684462250dc5072d
SHA1 hash:
e8c5ffbae73d7d07953184a3bfe7889269da99af
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
SH256 hash:
f0e65bf293dcce196162c676486073a745f072db86e553e73c2e73404dacd1c0
MD5 hash:
15abc10dff1a7ab6eddea2d73f4ac80c
SHA1 hash:
c1d1bdee4577a5d95d4c4524ae922a6ba756f846
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
SH256 hash:
e50a90b64f09df89e9350890e8463de75396249124f9975377a9d7e4b18f106b
MD5 hash:
d06b3aadfe7000c741d6aad61f89cb0b
SHA1 hash:
d6948e79c2e2505c7bad722c9b6b52891f5e4ca9
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
SH256 hash:
c977925898f2c93b60953653ac7928c86d1db3e778c40ed4378261bb9e5faf51
MD5 hash:
f12e2ba8c3f3b70041b3814ff0dda4a5
SHA1 hash:
0f195865492c542054f3406a8f09d26568faf557
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
SH256 hash:
8213a6a34c36db37675298dcbbbb36451ddf233c1af7e8783be225d3e4c08271
MD5 hash:
a2f5dafc17432fdea2f85c9c972167ca
SHA1 hash:
004139faa5268e3fd9fcc92710d0e331d32a2d7b
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
SH256 hash:
66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec
MD5 hash:
a8bd1b12d450b9f4513524f0eacb7359
SHA1 hash:
30d688c3923e089ff08facbacbc0cd55499bbca8
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/3ee3b8c9-da62-4977-9d74-435972cbc383/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/66fa9e8d1cb0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/66fa9e8d1cb0406ee13e9441b65b0f0405d6c847dc5cfa2e232342d0d8081dec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments