MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c
SHA3-384 hash:	d7e2bcd1665e7b6e70fe369375a6ea25ae90513ad6d38ef78662c72f20f3599f9e9709815194aea8a4285bb8ffef7603
SHA1 hash:	aa26ceae317672587df112a62771d46a03fdf8c1
MD5 hash:	c697ea68b7fbd24afb372ca479d48031
humanhash:	saturn-glucose-mango-venus
File name:	SecuriteInfo.com.Win32.PWSX-gen.5480.28924
Download:	download sample
Signature	Formbook Create hunting rule
File size:	706'560 bytes
First seen:	2022-11-25 04:28:53 UTC
Last seen:	2022-11-25 07:30:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:UcYA6GhOWYx/M+4ZUO5GVr/CSh8oJFKNIayQofjSCYmZJbxpDF:vYpKN5qrKI8o/3aI+CY
TLSH	T10AE43CDF59613E08C34CBA70685735987F919C504948E0E8A3E937CA5A37FADCEA113E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.5480.28924

Verdict:

Suspicious activity

Analysis date:

2022-11-25 04:31:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39b12a91-5c5c-4e2b-a7b8-704de8baa897

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/338273/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.5480.28924.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63804491536377388865c72c/reports/29d12591-fde6-4a4d-adc0-615d928b28c8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef4e9af5-acf4-4bee-ab78-4e2138e5475d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1120862

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-25 02:48:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 41 (65.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngvc4pfmsaxqetllxebad7bxao6iybibuldyqw2wvrdwpzpudq6a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:bmr1 rat spyware stealer trojan

Link:

https://tria.ge/reports/221125-e38qrsbd83/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f012d7d7-d15d-4792-b8db-3cf5f669f9bd

Unpacked files

SH256 hash:

ef16217780a46e8897e25a9c6118c3dd7d1b02cd14854bd34813f6fc6bcd51f3

MD5 hash:

87b6eff2a6e458d5286ffd81224c908b

SHA1 hash:

3ad8fbfab912ebc43a68fb776d3ddd247bd78a71

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

Parent samples :

849c96dad8e472bb60d06687e6da765c687355295f98348286c25d8d2a9ae613
501d6ddc2677cf909cdf85570bfbf09099004a108236bb25954758387f080b9f
c47f1c11eb874ce92afbe8eb3e24f44609f7d7bc154f705116975d5f735a1d4e
c9e9607f55007d3ba17ecad1010d43a501dca6bcc3af1c6c8a0f5bac49dccaa4
648048695290a99e4da3a55882aa6c2a62c2ee1b4fc780ebf87213f61909c34f
6acd00935237577146ba48525e5335d184431d023a35d986583f5a2e0eff58e6
69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c
01ff3a6ce715226b103f3bf80bdb44737fc8bccd38119a7372d8cdcfd3b034c7
2106aa8235bc1e05d367bae1e65c50bf8d11c4b4106ceebde0f9307ffcf273c0
a4392c3be6ba337f370c0b2170bf46c6c65f0054304f355d40b0b7fffec718e4
e121e41abc24cd4a27ec0537679a24a0c8ab76bacbb4e7d636fff4b775a89cbd
5b159fc1bab2c03c792747eac7c315c5f83dfef3145e617184d4a6dd86e359f5
6b6a8e21fa0d708c49bbd80ce2dbe680f27c391cf305b01e2ab1198c014da067

SH256 hash:

8192266c229eac4675ff1fb94a0311d69f49a30ea8581fdf3066761c579fbc26

MD5 hash:

4e8cb27da9e9cd3c2600117a53055218

SHA1 hash:

b245bd33081e0605be93290302a6e4f3433d1e7d

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

SH256 hash:

0880ccd4e346ca277ac008a187b750457aa1b3ef46f046d188bfcdbf862c1881

MD5 hash:

3adbf18e0b7e6443d25be6ffc2545500

SHA1 hash:

c770767cda03eed64cb9c384923958cdd241e217

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

SH256 hash:

e74c2a8ff440f7f2629e8683194f4bf5969f97094f41c3ec701014702783a34e

MD5 hash:

57a9c308e4820b01ad9f8e574800b5bb

SHA1 hash:

6e4553a19bca7c91e0e9bdfd03b2945c4380ae4b

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

SH256 hash:

69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c

MD5 hash:

c697ea68b7fbd24afb372ca479d48031

SHA1 hash:

aa26ceae317672587df112a62771d46a03fdf8c1

Link:

https://www.unpac.me/results/b96cf4f9-0ad4-4b1e-baa1-b22481115d79/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/69aa2e3cac90/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/69aa2e3cac902f024d6bb90201fc3703bc8c0501a2c7885b56ac4767e5f41c3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.