MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c
SHA3-384 hash: be6f934e3af65aee0248dccb666ff6deb2f1de14f096ec0c8ed62f4c56eb6fbe38db4e0711038af5bebe006c679ed9ca
SHA1 hash: 56e3e97cfa5dd95fe46e7e3107b7ba9a3dc217bc
MD5 hash: dff3d6417aeecc465378554ac8e1cef9
humanhash: mockingbird-harry-carbon-zulu
File name:OR_HO1163_SKF_AH23.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'007'104 bytes
First seen:2023-02-21 13:20:23 UTC
Last seen:2023-02-21 14:36:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Sky9IISrJ+Hlmb+5rsP4EnWsBOHC8Myzympry:G++5rPsDwymB
Threatray 2'106 similar samples on MalwareBazaar
TLSH T19325AE9A33B46073F5CB01FE5C38278C2E2076577619E26E9B77BB91A2749FB7284101
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OR_HO1163_SKF_AH23.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 13:26:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66732ac3-9706-4565-95df-8002c996f019

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368636/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/63f4c540d385ee58584e4811/reports/489d2909-391a-4f9e-8d46-989e9cd965fe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59420772-f63f-4213-a1bd-e1b75103e653
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179758
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 812590 Sample: OR_HO1163_SKF_AH23.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 31 www.iclimate.guide 2->31 33 iclimate.guide 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 9 OR_HO1163_SKF_AH23.exe 3 2->9         started        signatures3 process4 file5 29 C:\Users\user\...\OR_HO1163_SKF_AH23.exe.log, ASCII 9->29 dropped 51 Injects a PE file into a foreign processes 9->51 13 OR_HO1163_SKF_AH23.exe 9->13         started        16 OR_HO1163_SKF_AH23.exe 9->16         started        18 OR_HO1163_SKF_AH23.exe 9->18         started        20 OR_HO1163_SKF_AH23.exe 9->20         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 22 explorer.exe 2 1 13->22 injected process9 dnsIp10 35 www.glbinwene.com 156.236.69.171, 49703, 80 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 22->35 37 www.bestmarket.website 199.192.31.98, 49707, 49708, 80 NAMECHEAP-NETUS United States 22->37 39 9 other IPs or domains 22->39 49 System process connects to network (likely due to code injection or exploit) 22->49 26 wlanext.exe 13 22->26         started        signatures11 process12 signatures13 53 Tries to steal Mail credentials (via file / registry access) 26->53 55 Tries to harvest and steal browser information (history, passwords, etc) 26->55 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 12:56:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfrmq5zsdcu2oxiiebgz6ue7glzb5sln7iofx2s33e2f3cv3vgga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
294a6483b66178781dd80269ed44df06ae73e3703edf116e0a92889250725c84
Formbook
49fe1618c14d32183b774338d27a474d16e05519bb3967940fb33e6af06170f0
Formbook
591ea8c06daef587f239bbaa3d29cb46ccba25ccba58c324441efbaf4c5eb5d8
Formbook
615349f7344705307b2316dee1177a887390195e85d692069fb2c74def5a4ece
Formbook
6b2d71b9e5b1ed1d75d7eb03141735491c906c4e4dc6846bc1ef6e032507b1a5
Formbook
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
Formbook
be82fad6a7978bb60d6b647db8e830578af39a2cb60155beb19a86806da13caf
Formbook
c14e90c00e4990b3c80a1ed015ad0bf6fdd7fb1d083b7b4d756b5cb74f6c7cd8
Formbook
ca36938bca50bc95f123c86a7c886b2da3add6b082b31146bbfae46ddccc473c
Formbook
+ 2'096 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230221-qlnj2seh45/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
e9d646bb05e91c1e8695d76931f396086c3b0ac3a555c9e0254fa1a050150159
MD5 hash:
daa5dc958c921ea4a72c9102a0a58ba1
SHA1 hash:
75a39eb8017bd1bd424ce137d1f80688c58afbd7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
Parent samples :
49fe1618c14d32183b774338d27a474d16e05519bb3967940fb33e6af06170f0
294a6483b66178781dd80269ed44df06ae73e3703edf116e0a92889250725c84
6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c
SH256 hash:
e6aaa47556e208d4fe343c936074e6e7b7c7353dc484e73ecb07662965fb218b
MD5 hash:
3488a0fb8d115d43c3c4667230784503
SHA1 hash:
63b1508d1415bd31a3c15ce69aacf95a1f8102a1
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
SH256 hash:
d2ff6f2fd3e606b0a430100861df8b211889e29f0a5da5c9eb24d71b5c1a0a3d
MD5 hash:
522736bce289861dd52c1f713a44e8fc
SHA1 hash:
a2ad3e57c8d2519f20c646ee39cc265fca853c53
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
SH256 hash:
f11ca8a4ea5b7a7c2b982020fec273ab6246b75ad4c9e45fbd475eb0a1350c17
MD5 hash:
2a0a9f880a5fc4e16971fc0752b0854c
SHA1 hash:
84952dbf095679f3d5da366c6ef99f13136bb4c5
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
SH256 hash:
5544301af2ac2debade3e1f441b3bbbe6a0b67e7c51741eae2f053ba81932d1a
MD5 hash:
899b3d75fcdb02df5fba7eae09134d4d
SHA1 hash:
590eaca1fd64436f6954299307dfec2b539949d7
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
SH256 hash:
6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c
MD5 hash:
dff3d6417aeecc465378554ac8e1cef9
SHA1 hash:
56e3e97cfa5dd95fe46e7e3107b7ba9a3dc217bc
Link:
https://www.unpac.me/results/cdc914ef-435e-42ab-aad3-61592a4198ad/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6962c8773218/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/368636/

Comments