MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
SHA3-384 hash: f16d721ab225ba71a834e571d8ae9525159d97023705ce22ee66f665468896b05f8526db88891abe81638d33952f6d7d
SHA1 hash: d83296177c8f166a95cafbd12ac1ae327ded42c7
MD5 hash: fddc263879fbf539b746d116e8429a7f
humanhash: stream-muppet-south-nineteen
File name:PI No 20000814C.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:691'200 bytes
First seen:2024-05-23 13:14:28 UTC
Last seen:2024-05-23 13:32:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:aYV6MorX7qzuC3QHO9FQVHPF51jgcxL/wgbggD+En6onCvJzgngsU:JBXu9HGaVHh/wgbv6okJQNU
Threatray 5 similar samples on MalwareBazaar
TLSH T1BDE423C12A86DC6BC45813BDC83F8D606441B8B1CFD03B6E8695F15FB5AA783D43785A
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88.exe
Verdict:
Malicious activity
Analysis date:
2024-05-23 13:17:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6561e07e-6321-4ed7-b392-169afd376142

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.AutoIt.1383.24827.23348.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664f4359aa38ca2df05df9eewin10vpnfull_triage
Tags:
Shellcodecrypter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
AutoIt lolbin packed packed shell32 upx
Link:
https://www.filescan.io/uploads/664f415a9ef257851a96ff8c/reports/9a39b48c-3a21-4e76-b213-d21cf9f7e74c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1b6355ba-9a00-44f0-bf00-115403e8e1cb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1446508
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446508 Sample: PI No 20000814C.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 www.autonomyai.xyz 2->28 30 www.upshercode.store 2->30 32 21 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 PI No 20000814C.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 YoOsbbockoYKKBpRowW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cipher.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 YoOsbbockoYKKBpRowW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.anoldshow.top 203.161.43.228, 49723, 49724, 49725 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 upshercode.store 162.240.81.18, 49706, 49707, 49708 UNIFIEDLAYER-AS-1US United States 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88/
Threat name:
Win32.Trojan.ShellcodeCrypter
Create hunting rule
Status:
Malicious
First seen:
2024-05-23 03:50:53 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nab2asrxnx3pq476koz3pg7reu2lrqnxjubxuapvg7tuxlezj6ea._file
Verdict:
malicious
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Formbook
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
Formbook
37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
f7decb942c4d2f001d2f810978463780697403597ed4f5102a19c27edd649ce3
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240523-qg8pesce6v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/302f6258-a0ce-497a-9d19-2d2068db39db
Unpacked files
SH256 hash:
fbc684b9f271d7181520b209e056c1716ba7b4978a2f16436f9bd70a092d9a70
MD5 hash:
d1c5b0c93c60dadd5c6407b6b008114f
SHA1 hash:
88bdaed82d9772d06d2e86f0b6b3b08d16e155e7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
Parent samples :
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
1f66505224b6b1669db0864482bdbd457da983e886ed943c59834eae5e5c32f2
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
SH256 hash:
80a405771746ba16d6cbee64bd480b6fa8e2ae49fcc0075ed9358ba1c4727dfe
MD5 hash:
77e88fbec9d9c24aef7284c21dd27e0e
SHA1 hash:
56142271a45747e78c36b18cae59282f8f6fe58d
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
e29923d4e3fa5b30614a263828db410b0ab5c452a4237c8ae33a21ffaaf73cc4
MD5 hash:
2c40af3164c197806fcf499a1e6a0b85
SHA1 hash:
4bb49ffbbaa20503615a610b579a2c8dacb21fdd
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
Parent samples :
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
e29923d4e3fa5b30614a263828db410b0ab5c452a4237c8ae33a21ffaaf73cc4
SH256 hash:
084efcf9e09d351ca7b51b44a8c61e64b40dc6afe4a1ab8809f525d6183be2b1
MD5 hash:
301abc2f31b05d2358057f58efa18822
SHA1 hash:
8d8b1c6c0c257dc94c8fd06ef4e969a4107d9436
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
32234b7b994aec72dede916a044eabfd140fe733f1d6ae888df7bb192e6c70f3
MD5 hash:
3392e13cc7107b04a51f0934b2397f21
SHA1 hash:
7bede8d08478739f155a3c7e63b5f576fa1e5f4a
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
4c78a518fd2b725fea9d58de314dee002d196c599442c5f84d5408810cfd6c5d
MD5 hash:
3a25096d4e588e133f4511484e855275
SHA1 hash:
6f9737c1ee2779f58a5f0f0304d5291dd2a2b3e1
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
06a8efd807841bff9bfc7aa174260e9ddb89ef7370d90d93abb3ebba099b2ec8
MD5 hash:
2c16b217fae6ff22505dc2cdfb0e265f
SHA1 hash:
6f439c56a851df08d6bd13f3a078e587cc0eb886
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
8af52900add6cb6f775a113b005343532aaad0d32ad9d58a180cbe4e5940bca0
MD5 hash:
44468e578a9798f2f275186d49f499e4
SHA1 hash:
20b01fa9827ebf41864ec1e984ee5d8833c4538a
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
d132d0c14430bdb416c09c176923a1c65ede8348815f45477b5d73e19cf2ce1b
MD5 hash:
4601bc5e9a5d1ae6ed2b4b03863fbd85
SHA1 hash:
15b478d5c7cd1857e10df429a4423b5fa03464e8
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
SH256 hash:
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
MD5 hash:
fddc263879fbf539b746d116e8429a7f
SHA1 hash:
d83296177c8f166a95cafbd12ac1ae327ded42c7
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/6be3a485-b363-4891-8a6a-604a37b3a6f7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6803a04a376d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments