MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db
SHA3-384 hash:	3bad60c43e5767aaf48ac875ed2686f5e9f06ba2e6933eea8b91049d42819d91845e03005a9651347e582da37d3b8709
SHA1 hash:	c5cadd640c60cc5ae5377fa8726c15f38808a131
MD5 hash:	d400c125c91f0da96b71a1335d5c7e9e
humanhash:	burger-seventeen-batman-iowa
File name:	SecuriteInfo.com.Win32.PWSX-gen.17323.27284
Download:	download sample
Signature	Formbook Create hunting rule
File size:	589'312 bytes
First seen:	2023-11-24 07:21:34 UTC
Last seen:	2023-11-24 17:10:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:nE+RIimQdL6iHOHpF2hJwy+atu6KVC94MVK4ENzZK:nE+evGOHpKavI4YEN
Threatray	423 similar samples on MalwareBazaar
TLSH	T1A8C42305A65ECBB3D9AD07BE15E1108207BDA16A9BE5EE6D0ECC70DECF13B049351A13
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	00e4f8d2f2d0c010 (7 x Formbook, 5 x AgentTesla, 2 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/459967/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.17323.27284.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65604f1a6d3af192266fb2cb/reports/8651a78f-7693-404d-a46d-e5abebaf6021/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db

Result

Verdict:

MALICIOUS

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc632c58-d7f5-4136-9c19-aa9e1a395a4a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1347248

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-24 07:22:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nlvtgwz2rrcqnotj3gaaojtkaiijgdg5vpdnh7tlnqfcrzm247nq._file

Verdict:

malicious

Label(s):

formbook

Formbook

38049c6c8b70728eee0ec280abd6bef7a3eecc10a0ae541bcda4b6f3312d4bc9

Formbook

81f680191094ca2497c7798b37b83009157a7201dc0f27839c2860d5eb968fd1

Formbook

93bc82b99ec0339576f7f93e026ee2dc33b8bdddd99b2addca44e5cbde6b59f8

Formbook

+ 413 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cc73 rat spyware stealer trojan

Link:

https://tria.ge/reports/231124-h68fyshf2x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

85742944caaebe01cf4101666af159c0dfa0c83af58b822712ec304d5c3d9216

MD5 hash:

91188c3915c320085050b9835be0d98f

SHA1 hash:

f69e069eb750d05308fa45140021b2c4cbd188c4

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/25c70a6b-7151-40b7-af85-30794ed5f515/

Parent samples :

93bc82b99ec0339576f7f93e026ee2dc33b8bdddd99b2addca44e5cbde6b59f8
3106ab616dc892b43c8d9c28a9fc9f83b3e4676b5e4e61dc0dd97bab8d6072e1
81f680191094ca2497c7798b37b83009157a7201dc0f27839c2860d5eb968fd1
38049c6c8b70728eee0ec280abd6bef7a3eecc10a0ae541bcda4b6f3312d4bc9
6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db
5c0b363499da0abc5bfe5213d4ccff6ecf5f4b8d2ba2bc6b143f3a79c135e0ce

SH256 hash:

dc2a31ebcef7e1b02ef0b2237da0e126dfebaa6a6336f829c0194b89793e239b

MD5 hash:

3d9dd0ed4f6deb6ad320d84fa5a40542

SHA1 hash:

f2daf79f4bfd1118856e13e1487c99259415d39e

Link:

https://www.unpac.me/results/25c70a6b-7151-40b7-af85-30794ed5f515/

SH256 hash:

211aad8f77a5a8aa95e91269089c6714f6c3bfa104307a025a54125f76879dca

MD5 hash:

9f3573a383cf5eb96a5de824f025927c

SHA1 hash:

d11af07ebe016baaff46fb00f9d6d5c8bd0d11ff

Link:

https://www.unpac.me/results/25c70a6b-7151-40b7-af85-30794ed5f515/

SH256 hash:

b32f64139e9cfc3afa129ec4bd0adced5c90f5bb1d3cde1d1a6415165b875370

MD5 hash:

9385019216c64b66fb1e4ceae3ca9486

SHA1 hash:

ad74faf0fc06b34ff4ddd1f44b8cdea500c8fef6

Link:

https://www.unpac.me/results/25c70a6b-7151-40b7-af85-30794ed5f515/

SH256 hash:

6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db

MD5 hash:

d400c125c91f0da96b71a1335d5c7e9e

SHA1 hash:

c5cadd640c60cc5ae5377fa8726c15f38808a131

Link:

https://www.unpac.me/results/25c70a6b-7151-40b7-af85-30794ed5f515/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6aeb335b3a8c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/459967/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample