MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425
SHA3-384 hash:	5b1441410147f44d4e36fbe9e73617829187cfa8642e73ec56b3302b451dcb099457f6ba275da20d901ee4fd5e77630c
SHA1 hash:	f5c6bba08809c42097b0ca24b161aed7e1e8d1ad
MD5 hash:	1801ae11b1a9a4a0df775a4199cb66db
humanhash:	paris-mobile-artist-juliet
File name:	list+pictures pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'102'336 bytes
First seen:	2022-01-26 14:53:51 UTC
Last seen:	2022-01-26 16:38:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:MXOA3VMC8Weh/HoTctrxgxucHGUXw4FysQdQP+U2NXq:MXOAFMC8zPXgxuoyscW+J
TLSH	T1A4359C087794C3E2C4ADD6B7F46D213447B92FAE653A999C28CA71C9CFF7B205450A0E
File icon (PE):
dhash icon	332363132d253b47 (3 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

list+pictures pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-01-27 02:15:15 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/6b33424f-1a61-44df-9c72-ef76bc4b3b8b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/223397/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.1720.20801.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61f16090d73ca9d4648dcc54/reports/ced15dd2-4a7f-4c16-bb77-aaef7e3ffb49/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0954e2b-499f-428e-be72-f6a34edc7b19

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928002

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-26 06:15:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=njuwgemqrfmjztzfjgsweuxvjs3cwulnu5dvegp2wlbjjzsv4qsq._file

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:no9u loader rat

Link:

https://tria.ge/reports/220126-r9we8seeg6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Xloader Payload

Xloader

Unpacked files

SH256 hash:

d55f525eb14cf5f73ae1a37d57361caf764bbe72b386f2ae925385186d9a11de

MD5 hash:

e0f1321965b32cd4b2fe11fff15b4f65

SHA1 hash:

159d4db341abc9ccc61b63f3090ec756ad7a0fec

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/54695aca-7023-4a85-8be6-451af015f8d3/

Parent samples :

6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425
e1a56f989b55a3ca7b2c531fae84dce7bb3dfd4f20c2d317894337f41d6e85e1

SH256 hash:

8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1

MD5 hash:

efdf2c54a74297c24bc73285376c432b

SHA1 hash:

564f25afb6c5599cdcd5fafaff32c1475e581af4

Link:

https://www.unpac.me/results/54695aca-7023-4a85-8be6-451af015f8d3/

SH256 hash:

d4c032bf112cdcefa5b4811e970ece880854ad1815f2676db2df469f2cbb3c21

MD5 hash:

dfcfa1552962f8ccc40494dc56371589

SHA1 hash:

360cebc6c2be623580c66bbc3bbea625214bd807

Link:

https://www.unpac.me/results/54695aca-7023-4a85-8be6-451af015f8d3/

SH256 hash:

6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425

MD5 hash:

1801ae11b1a9a4a0df775a4199cb66db

SHA1 hash:

f5c6bba08809c42097b0ca24b161aed7e1e8d1ad

Link:

https://www.unpac.me/results/54695aca-7023-4a85-8be6-451af015f8d3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a6963119089589ccf2549a56252f54cb62b516da7475219fab2c294e655e425

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/223397/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample