MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995
SHA3-384 hash: 43d090be5a756fe3354ed932c3a839d0e98841b53d364a2dc91b00dd1ea2840abb0e1cd55f7c1a9ca8b57acc93f29d0a
SHA1 hash: 9dd9132d72ea107b80cfab9607aca812c316b704
MD5 hash: b2b4ccbfd732a86793a3b84466158b57
humanhash: nineteen-apart-solar-violet
File name:20221102_3647_463773,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:132'096 bytes
First seen:2022-02-14 15:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:EBSYY8PJQaeAnuTCt2xbzmyoaq6rcYsc8tmyWIlwsAdL3cYlx19JSO2n:c68xntmCK
Threatray 405 similar samples on MalwareBazaar
TLSH T1AED3E7C2F698A8A5DC1B05FBD83BDE621217AE6D8479520B30A9771B69F33431877C07
File icon (PE):PE icon
dhash icon d4ccc8c8ccc4d0dc (5 x Formbook, 2 x NanoCore)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241393/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38950640.19774.11685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/620a710c54047500bb53eaaa/reports/50898176-a589-409f-aab9-a496073f1eff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ca9e99e-2289-4033-a0f7-830420eae287
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/939681
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 06:47:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=njaprvxj5qlyv2eougqiu2mxcvg4pmiyvqjgmnnrfbmkzbwyjgkq._file
Verdict:
malicious
Similar samples:
2ed1c5c2c50af3c2502d8e55d5f1f7fb85bbb570c3e1a587902741d5ce4338c5
Formbook
3b4b1b094f3d0ef82fa5a71f91127e4060fe579f4d24dfbd091bdb7a648b27e1
Formbook
4b9320bec4f05c232b2a22cfbe3d8816cdc6b6b069dcc4eaf19cb687c2da657e
Formbook
4bb6d08dad879c7e0098024d645c92c198484e1d7703019fa0db7ead6f867bfd
Formbook
abc5f306aae4ed8a42216e5b16b14b312eac674877724fe3b9beb56b8e6cfb47
Formbook
b100e4e89f9793a97ece1f3a91b2ef8c7c060c7e5685f6769651d54b06b986a3
Formbook
e2bce579f06453baa35e04846954e10ca86d72499c00092cd7a7a9a5eaf507f5
Formbook
f442097ffe0336d6712267088a4368aa539f51f7ea7d1e950da88c6a42f1b29e
Formbook
+ 395 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ch24 rat spyware stealer trojan
Link:
https://tria.ge/reports/220214-sklp6shec4/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995
MD5 hash:
b2b4ccbfd732a86793a3b84466158b57
SHA1 hash:
9dd9132d72ea107b80cfab9607aca812c316b704
Link:
https://www.unpac.me/results/42d0ea41-b752-4c29-b18a-50bcafe0dca2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6a40f8d6e9ec178ae88ea1a08a6997154dc7b118ac126635b12858ac86d84995

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241393/

Comments