MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b
SHA3-384 hash:	73a74ebf8c312a949b6fff67e9086de30ceff1f5d2aeb0edef7d0ea5f28a5a190189063cdd6c1b7081afc603d5772b82
SHA1 hash:	a4f41e941afeecf41871a394c2feec0864d63e5d
MD5 hash:	d90189f423f08e34563ed09ea821b255
humanhash:	minnesota-bluebird-december-fish
File name:	송장 지불 영수증.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	668'672 bytes
First seen:	2023-12-14 07:23:46 UTC
Last seen:	2023-12-14 09:23:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:EOd0oLtIz0LTg5PMJA2XgffB3ZNJdjuLggszyE6en3dU0A9:EPgfLU5htZNJd8ggjEzA
Threatray	3'787 similar samples on MalwareBazaar
TLSH	T1B8E423142BF8C73FCF7F61BCF692A26E07775455B762EB89C8A8B1CA08897844153127
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

송장 지불 영수증.zip

Verdict:

No threats detected

Analysis date:

2023-12-14 05:21:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fcbf8876-a983-4826-aa4d-96544963bfd0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.30344.2632.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9629269-0f8a-41f5-af2a-5b8beeac39cd

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361976

Signature

.NET source code contains potential unpacker

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-14 04:36:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=novo4sb2oqxy3bi2xbzauh7jwa6zxipktlhpu45j757d42lphvvq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Formbook

6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

Formbook

8ba8416d095006be656b4b4e0eaa987cd84a5236641020ebaf22b0cdf08b24ef

Formbook

b4cbf684e8873e04a1ff54c62bdb9eb5782d1cea507edc3cef13ac280f049a2f

Formbook

f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea

Formbook

+ 3'777 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231214-h8dz5acbck/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/0451bdd5-d09d-41fe-9076-b1f361e8eb4d/

SH256 hash:

bba03f84b01df6772053f2ae70c6387522fd4a772fa4498afdd1f2c246e85415

MD5 hash:

ff641d1ab661288cf7258a39885ed5d6

SHA1 hash:

2bb98f966fa60e70377fc0b5426b4daff7eb0889

Link:

https://www.unpac.me/results/0451bdd5-d09d-41fe-9076-b1f361e8eb4d/

SH256 hash:

4d4824d7bf7cf39afe450320018087adc46f8a392a5b27835c601c499b49dff9

MD5 hash:

e9bac4df4796dd936055e4033cb83704

SHA1 hash:

1f00210c3c6396c62f9231cf62fe774f7dfdf110

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0451bdd5-d09d-41fe-9076-b1f361e8eb4d/

SH256 hash:

6dc768418ce1228714148fa127f959cd03de148dc5a61c24c7919fa1c3a90c79

MD5 hash:

b5a6f3e36ab0e52e8e0d19ceba43dfd0

SHA1 hash:

1b250073f5c3185d4d9046eca9b75d55cbc4e1e2

Link:

https://www.unpac.me/results/0451bdd5-d09d-41fe-9076-b1f361e8eb4d/

SH256 hash:

6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

MD5 hash:

d90189f423f08e34563ed09ea821b255

SHA1 hash:

a4f41e941afeecf41871a394c2feec0864d63e5d

Link:

https://www.unpac.me/results/0451bdd5-d09d-41fe-9076-b1f361e8eb4d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 6baaee483a742f8d851ab8720a1fe9b03d9ba1ea9acefa73a9ff7e3e696f3d6b

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample