MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
SHA3-384 hash: 56495fe1fb5505c99ac01d52a397e0ca064c5e29ad3ae5e4349614e461bb42fde9a5107507df7d71e159f4cb2adb92ac
SHA1 hash: d69604cde6b721248be73bccf9804a23eb0a9407
MD5 hash: eb2a71938ab8bdc98e9f396fb3b68b3b
humanhash: potato-seventeen-avocado-mexico
File name:BL NO_WWSNSA0212JAE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:633'344 bytes
First seen:2023-11-27 10:30:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:eM72CJf7TWwRm89UfclHZuDoxDxYRLX0NvYDvwN2cFQMO1gcD5z12a4Q84S:97lRm8GElkkxDeRLE6s1FpTWZvv84S
Threatray 468 similar samples on MalwareBazaar
TLSH T154D423523121DBF7CD3B97F331B868420373F4A71649DC198D0B1A9E290538A5EA69FB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6000696971690068 (3 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL NO_WWSNSA0212JAE.exe
Verdict:
Malicious activity
Analysis date:
2023-11-27 10:31:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ccc3e87-069b-493b-87d5-361bfc9575b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460605/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2548.31168.9415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ed62f9b-c548-48b1-8619-0baf410194f9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348433
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348433 Sample: BL_NO_WWSNSA0212JAE.exe Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 62 www.chinchap.xyz 2->62 64 zeit-fuer-sie.org 2->64 66 10 other IPs or domains 2->66 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 92 7 other signatures 2->92 10 BL_NO_WWSNSA0212JAE.exe 7 2->10         started        14 qWDcvvabRK.exe 5 2->14         started        signatures3 90 Performs DNS queries to domains with low reputation 62->90 process4 file5 58 C:\Users\user\AppData\...\qWDcvvabRK.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\Temp\tmpB0D.tmp, XML 10->60 dropped 96 Uses schtasks.exe or at.exe to add and modify task schedules 10->96 98 Adds a directory exclusion to Windows Defender 10->98 100 Injects a PE file into a foreign processes 10->100 16 BL_NO_WWSNSA0212JAE.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        102 Multi AV Scanner detection for dropped file 14->102 104 Machine Learning detection for dropped file 14->104 25 qWDcvvabRK.exe 14->25         started        27 schtasks.exe 1 14->27         started        29 MpCmdRun.exe 14->29         started        31 qWDcvvabRK.exe 14->31         started        signatures6 process7 signatures8 74 Maps a DLL or memory area into another process 16->74 33 XRTNnBQTWDDtcQvtnH.exe 16->33 injected 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 XRTNnBQTWDDtcQvtnH.exe 25->41 injected 44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        process9 signatures10 48 dllhost.exe 33->48         started        94 Maps a DLL or memory area into another process 41->94 51 dllhost.exe 41->51         started        process11 signatures12 76 Tries to steal Mail credentials (via file / registry access) 48->76 78 Tries to harvest and steal browser information (history, passwords, etc) 48->78 80 Writes to foreign memory regions 48->80 82 3 other signatures 48->82 53 XRTNnBQTWDDtcQvtnH.exe 48->53 injected 56 firefox.exe 48->56         started        process13 dnsIp14 68 www.oostende.cloud 83.96.212.57, 49735, 49736, 49737 XL-ASNL Netherlands 53->68 70 www.saipanrealtygroup.com 156.226.158.102, 49739, 49740, 49741 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 53->70 72 7 other IPs or domains 53->72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 03:46:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nubcrdzf75k7lwmom43oh5ik3fmww52o2cik52s7j2ozjgpk3y6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a3237cc81753dc78284267fc441945dcbbf7a722e817a50534993252a1a455c
Formbook
7a04dd7893f89eeffa0df553493f9a5367bf08e041c4989888e84d7006a65a65
Formbook
905721c1b25229592e32539baf64ff1a2b60e0bd872c3d86e53d8d89d67d03bc
Formbook
a5bea05a2f6c78eef246760dc715dd3fe10b0615ac161efbeb8a2cf6c9836499
Formbook
c5bf13f324052f8e3240024494c7c4bf809e3c423a59fabd0cd067e01a990ee6
Formbook
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Formbook
e58db2a0ff5965c97eeb52a3342e5a4ec06ff9d6beafbd7007e14368c5af64a4
Formbook
+ 458 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231127-mkc55sfh62/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
79717778ddc60781ba1ae13ccff5f8ff24e572bfb6d162305f9d5422c05fcf3b
MD5 hash:
a5367745a3e4e6195c4662448a6a6b01
SHA1 hash:
c4608da6f550ff9fd1a25032190a813dc0834175
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
Parent samples :
6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
5b23ac0d86c8bec2ed4662057ad53a6d477fc29d7f8b00a6e13cb04f44dcf934
SH256 hash:
000209c32bf936342e0515b079cd6bfca1e3167c783ecdf610122068f4789520
MD5 hash:
9e16eeb151047f61af89ee5dac814022
SHA1 hash:
c10638bc3b038cfc190106fe4e40a254073f09e7
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
b40c51212af363bb685b5297ed6bf9f2b327f0ee31987c9eb4eb74fe79d925c6
MD5 hash:
af9c4cbc5be56020a32b6ae6c7d535d4
SHA1 hash:
ecd022f7261025c01779f742832372729e7b2bbf
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
bacfad93a02999ef2a9f6eaf39fbf76079aa497aa8ac0a2a5c0ca5dedfdaaee4
MD5 hash:
1a95bba02011c86157be309bb1fd5f77
SHA1 hash:
799fe5695438110cbc8eafc87e5e28900a499742
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
b5050c813ccff7e90a7c38533a9d68dc11fe8465d67aaab35d7c7c7524da8f5c
MD5 hash:
24d9e70da8a1e864021cef6173c88d40
SHA1 hash:
f5e624827ce4a6cbbd39c608607b21238f1f44da
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
7d03e89fd0c1b288554f28935bc20d3006fa280255c04c18a1a1988cc6b1f3d3
MD5 hash:
5719efbe10cfdbbe8dc6ca0ba7b61c3e
SHA1 hash:
b441e56da261fb9923fe01bac45c2865b3adce22
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
e6f8fd15266af5a5b307e44ec68d661c52122d15cc1282873048277499c60259
MD5 hash:
f4f53ecd9b84bdbd6ac1b94ba72a6f46
SHA1 hash:
ae80f7245a010ce34f726891259f2801b961f782
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
ff656d5cab1f7a111b1b9bf8c433417e52ada703879d16eeb7d3bd76417e3cba
MD5 hash:
d5bb24ce498fcde1f6ed05157213a386
SHA1 hash:
ac7a1a420b4eaf8f894662d85a4ace0845f15180
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
3f960cdc0c8efe35fccce9f7f6f5c7e8ae84b01a9ada97e25006c4c3441c621b
MD5 hash:
1f203ff66fa00c3c73cb93b3813f96ee
SHA1 hash:
a800830701383db09ed39eb3e67b57c118754751
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
f1b238d054b8fff82985dc1d9cb8b65fe8e1dcf8c1e2ab407224aabacd0b9ca9
MD5 hash:
b765078e9b575b70f4864c45d265ba94
SHA1 hash:
3ca3c26471cce0713ae1d6c087f4c58302062b68
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
SH256 hash:
6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d
MD5 hash:
eb2a71938ab8bdc98e9f396fb3b68b3b
SHA1 hash:
d69604cde6b721248be73bccf9804a23eb0a9407
Link:
https://www.unpac.me/results/a4fb2a2a-cc09-43f8-b268-b12361d8479d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d02288f25ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6d02288f25ff55f5d98e6736e3f50ad9596b774ed090aeea5f4e9d9499eade3d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460605/

Comments