MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331
SHA3-384 hash: 149e5d941be78e2f3ef739bc514d7feff29c97400a7e54ca68e51e8f1b52735227b6f8beb05cd8f01427ec8fa6541329
SHA1 hash: ba23c0412b24ab866c95c73fd8b05366a1bd923e
MD5 hash: 0f2757b784b5bd4aeafef8748a4d1327
humanhash: connecticut-tennis-sodium-stairway
File name:6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331
Download: download sample
Signature Formbook
Create hunting rule
File size:645'120 bytes
First seen:2023-08-09 10:24:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:umAY2kcdbL4Efw+tpHM7LlQGllkrALicoV9pL5cNfFwO9soa3/:XN6GEf9fHIlRjkrai5V9MfFwcsoav
Threatray 3'721 similar samples on MalwareBazaar
TLSH T175D422445E999D27D85F3BF60002B6F683754AD8B91AC69BCC0EF0A5AE7734E8E50703
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441577/
Detection(s):
SecuriteInfo.com.Trojan.LoaderNET.657.4879.20287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64d36980a5c3e653be159781/reports/22a85138-a6f2-4dc7-a156-fde65459051d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b149a9a9-587a-464b-b66b-4de0a63b5e2c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288448
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1288448 Sample: W87mXftGXz.exe Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 32 www.rzunirnk.cfd 2->32 34 w.jdy33.cn 2->34 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 11 W87mXftGXz.exe 3 2->11         started        signatures3 process4 signatures5 52 Tries to detect virtualization through RDTSC time measurements 11->52 14 W87mXftGXz.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 1 14->17 injected process8 dnsIp9 28 www.oadzswru.cfd 17->28 30 www.gracefulglow-shop.com 17->30 36 System process connects to network (likely due to code injection or exploit) 17->36 21 systray.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 09:21:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrfnvwha22zy2ok7zvu3mxkfwaalrgf5omdh2wakspfwyjwzemyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a66f915bdd8a4fb6a5ccd21d56c97a0fbf75a5cf534e1bb927c594e0643cb2d
Formbook
17da5b241a7c1a77d644c46063b11af84dbf96b2986e4c4c0b9b56c1689ae524
Formbook
2c20e13c644886b403df4ba49657c0d032eb34655b7f7d46aeffcf9fdfc9c1e0
Formbook
33e3b47eae5dd2c0931b64dab1fa56868276ee8cadf3cda23e4310e7e640703f
Formbook
5ad354e8575a8c5c293f1fa8a1a25de41078a35c843b330a4b7529ec9b042d9b
Formbook
68f739e8cec56189a152729584f046954f13e32426331970eb755538a8008f1c
Formbook
a06ac680f7c3454cdfe9e777f1dc9e6867e3556d323986c428aead576d2ede5c
Formbook
a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
Formbook
f51c9c3a2de03c31cb595b81d379885e673fa139d85089f789ad94d0966c629f
Formbook
fb6d0c9f8246ae9fafae10a3ed496220f6b2803e454a1da51f07a6dcda5df7b4
Formbook
+ 3'711 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fg01 rat spyware stealer trojan
Link:
https://tria.ge/reports/230809-mfylaaae27/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
1e8db78c161de7197664f6f0dab5caaaafdd2435b76a999e06d17a64dae02e4b
MD5 hash:
94c3160a6592fe16b783e73ec522f54e
SHA1 hash:
60aa35acbe840147a9a500a91421666cbf8b686b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e3be02ef-9196-4d91-8b23-31662a505aa4/
Parent samples :
0a66f915bdd8a4fb6a5ccd21d56c97a0fbf75a5cf534e1bb927c594e0643cb2d
fb6d0c9f8246ae9fafae10a3ed496220f6b2803e454a1da51f07a6dcda5df7b4
6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331
948f701cabece1a38d395dfa7c5ccaa4003b0693fc47b03085d7b5f2ec9b9e60
SH256 hash:
45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c
MD5 hash:
ca775551666be768a9241f43eec98b87
SHA1 hash:
fbbd937067a24c48ee5274d3fa2881a991e64f3c
Link:
https://www.unpac.me/results/e3be02ef-9196-4d91-8b23-31662a505aa4/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/e3be02ef-9196-4d91-8b23-31662a505aa4/
SH256 hash:
939fd09f948e61eca9c7d2035f88b9bc70edd54ad179220e313f856564c8e5a0
MD5 hash:
136a9c95167d7e7486526e2b1e55a81c
SHA1 hash:
1c3113c5227a834b056568f6e076f4a3e803d674
Link:
https://www.unpac.me/results/e3be02ef-9196-4d91-8b23-31662a505aa4/
SH256 hash:
6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331
MD5 hash:
0f2757b784b5bd4aeafef8748a4d1327
SHA1 hash:
ba23c0412b24ab866c95c73fd8b05366a1bd923e
Link:
https://www.unpac.me/results/e3be02ef-9196-4d91-8b23-31662a505aa4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c4adad8e0d6b38d395fcd69b65d45b000b898bd73067d580a93cb6c26d92331

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441577/

Comments