MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4
SHA3-384 hash:	93d0f5746e344f485db56503460e41503484f20341de5a3f26c54c6ab928d8521b010f5e419969222196bc8e5ce4eba1
SHA1 hash:	23fb75fad6e446f6be3253239436ad9113201cdb
MD5 hash:	17eedbb519ff1f6df572d508a9ee19a7
humanhash:	lithium-pennsylvania-massachusetts-thirteen
File name:	UPDATED SOA.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	803'328 bytes
First seen:	2023-05-05 20:04:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:V/11KdjlbOUxP1s5rCweuy1d0y518Q49Cr81ELpjFXmAiE:pPKlMUt1yLeuy1d0S8QeELpjhmA
Threatray	2'754 similar samples on MalwareBazaar
TLSH	T11F05E1212379B791ECF683FC6604A001AFB46D6197BAD5E80DCAF4CD6154B18FB20B97
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

UPDATED SOA.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-05 20:06:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/69b6a3cf-a1d6-43fe-a6dc-45ffb0ebd438

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/387019/

Detection(s):

SecuriteInfo.com.Variant.Lazy.339156.27321.1245.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed

Link:

https://www.filescan.io/uploads/64556170eac7a62e36cca4bb/reports/c4ec0510-1eed-4046-acc6-7ef72ddce77e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbf03fa3-db57-4324-bc18-c12ff3e6b18c

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1227323

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-05 07:36:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5dytdr3vzu2bf2hbaq2urbpsy6jlq3x3lyvz3dd7cj5fdztjt2a._file

Verdict:

malicious

Label(s):

formbook

Formbook

2c41ec55217c805b8a73085daa06089d01cd601d1bc16a0099be113222e0446b

Formbook

3dca60e7a32bc81165f399bab2162271332156e05c490ed4af3972713a1cb0f4

Formbook

44a297e5ccf344c0422f4f80b2c490f2650bf44c142f131378b2eb6a6507bc9b

Formbook

4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e

Formbook

61141d9453d13d203de8255903f1aec9fea4906616f000cca0b906a58d754cca

Formbook

73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622

Formbook

8371116d95aa209dd33ab56ef48b991b23c0882d04efe59bee73039077565197

Formbook

92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c

Formbook

b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f

Formbook

+ 2'744 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230505-yttp2abe59/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

4e094307bb65daff99f7ebef8de4a3088e9a64cb6ce807da025e8cb6cdb62b82

MD5 hash:

0d6792f61c5ce7b70e845e5ca3053976

SHA1 hash:

590a677f0afdc16240e0708e19f6c1854febbdd7

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

Parent samples :

167cc7f70f2d0e79c1b1eff6d9c483f9c2c8fcaab0e44d6245d89e997831ca12
8371116d95aa209dd33ab56ef48b991b23c0882d04efe59bee73039077565197
2c41ec55217c805b8a73085daa06089d01cd601d1bc16a0099be113222e0446b
6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4
69087db34f2934a2bc582a76273d4f3d75e15fda3e900a56e8f89bcc04c8040e
030026bf6983702ec4865754d69d48af120bf0dea165ef7ef22428422412fff4
1f3e2e4828e5254eb321e357600476932a047e8f1083ce39d4f2f919b25314b0
f1c78b2121d019681e884190c1968c1fbdd4d38d42933c2e6c0aefd4daa3f6a7
2bfe16100af653d012b5b833cf2ed6431ae1ca9660fab081679f92da34fb5f57
c955c4f58223f8e72a6f1d7f7e0090fdb849996784f225c38fa427709e1272dd

SH256 hash:

43c8579f16cc456e55b7d7d6cb23ed21175b45875755b8eae0ff777e871c1700

MD5 hash:

7944d6199d4993a886d7d37f3d0eacba

SHA1 hash:

70a9b695fedc4c173e4f4b64ee939da09326ef52

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

SH256 hash:

280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2

MD5 hash:

d4b6893a5512534104c6c7403be60897

SHA1 hash:

d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

SH256 hash:

f2b10d9c4fa0e2f14aef92dd1835e7b086cbb8b28aa6e874591ccc2a59f51a68

MD5 hash:

ea2514930c0d3a840674544c2cbbb424

SHA1 hash:

9956a25943bd6125b2f1031a442d9ac8d43fb8f0

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

SH256 hash:

e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688

MD5 hash:

920a2854e9c183ad2ef7d5543c296d38

SHA1 hash:

2c20da753bdf6f1a46261e2c132dd42f75c94229

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

SH256 hash:

ce7b0478e7a78ab0a1002b280fe6fed2823b24564c99932d7de02ed9daa9c039

MD5 hash:

18b0393e72c78e83357a16c212c7e883

SHA1 hash:

1944549f5e06710481208b444118906040b9ffb4

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

SH256 hash:

6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4

MD5 hash:

17eedbb519ff1f6df572d508a9ee19a7

SHA1 hash:

23fb75fad6e446f6be3253239436ad9113201cdb

Link:

https://www.unpac.me/results/c3c4f697-e27d-4a20-a168-5445f49f7876/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6747898e3bae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 6747898e3bae69a097470821aa442f963c95c377daf15cec63f893d28f334cf4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/387019/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample