MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
SHA3-384 hash: ef559d2febbb54e840db5f3849f4d3bb33dce714899ef95bd7f258a22c9edc276e1c0f8063b67644d23b652a650c67c8
SHA1 hash: 91a7f770da2632542ea3f8ea4914a7c664c3c854
MD5 hash: 7b6d0f4b9896f5e24aeefe13757efbe0
humanhash: earth-lion-wyoming-artist
File name:#PO-NX - LI-13-11-20.exe.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:605'696 bytes
First seen:2023-11-20 07:07:17 UTC
Last seen:2023-11-20 14:28:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:/I361h61EWGiSOEMDy83Q2G2h0AQY06NuROqnEcptjOOhnLMIjq0wrVA61:/tY7GiSOEMDy8g2k+06BqVpJfPwrz
Threatray 2'323 similar samples on MalwareBazaar
TLSH T189D4223A3664877BEBE9D9F72050388803B5F6969862D19C0C8630FE46E6FD3650167F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4c6dcccecf8b4b8 (12 x AgentTesla, 3 x Formbook, 2 x RemcosRAT)
Reporter cocaman
Tags:bat exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459235/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Inject4.59820.2635.30375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b48f4876-4e05-40d9-98da-ebf6a8fc82bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344983
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 03:04:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwbirihn5k5uz2mitz7p7i4yh4ntadkjbaxf53k6rwosk22oentq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
43141e46fdafbf6529ef4319ee733ef308a6e6e12278e74c135d977a5b135876
Formbook
6467245f6d186b2dd54ba139a2bd8ea38cafe83952d7c20cd0937c53b9e9cb6a
Formbook
a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a
Formbook
cf33cf1b99aec2e58ebff495b327734f9d444884af6846ea086c210bd4ee2623
Formbook
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
Formbook
+ 2'313 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fs35 rat spyware stealer trojan
Link:
https://tria.ge/reports/231120-hx74tsec96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
ebb46bf819d57e643e831c8cd436414a8961ab6112a7a4ce580fcf23e455030b
MD5 hash:
c90142f38b1efda69b3c2af1ad87f5ae
SHA1 hash:
3b34c8e64904987cd75b1a7b09105a39dc66f473
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/b170d1ce-d90c-41ee-8ae6-720aaca52803/
Parent samples :
6467245f6d186b2dd54ba139a2bd8ea38cafe83952d7c20cd0937c53b9e9cb6a
f36f3336aedc47e7ec061cc5a11589d9e3adcff96bbc805a8da7ac0182d40e22
43141e46fdafbf6529ef4319ee733ef308a6e6e12278e74c135d977a5b135876
cf33cf1b99aec2e58ebff495b327734f9d444884af6846ea086c210bd4ee2623
6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
SH256 hash:
797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329
MD5 hash:
3c927935fbd608e7628cc2c5ad7d52fd
SHA1 hash:
ee0c880c0614ac960fd641f7d479233584aed1d8
Link:
https://www.unpac.me/results/b170d1ce-d90c-41ee-8ae6-720aaca52803/
SH256 hash:
75dd0b24eb625628f56cdbef3fe4230ee6e2561700e21652f043a669596ceab4
MD5 hash:
fd3d8076edd57923ef1764762696742c
SHA1 hash:
d12416efcb0670c026b0ae8ecb7c4b2f3229ef77
Link:
https://www.unpac.me/results/b170d1ce-d90c-41ee-8ae6-720aaca52803/
SH256 hash:
01f38bb4dc7f1787a239efdc7352a89b75c963bcb8227c347654879108330b9f
MD5 hash:
b1a6cdf7a2dd47e5972db92038455bcf
SHA1 hash:
b81f5c89e596726159a6b8f9915980466eeeedd6
Link:
https://www.unpac.me/results/b170d1ce-d90c-41ee-8ae6-720aaca52803/
SH256 hash:
6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367
MD5 hash:
7b6d0f4b9896f5e24aeefe13757efbe0
SHA1 hash:
91a7f770da2632542ea3f8ea4914a7c664c3c854
Link:
https://www.unpac.me/results/b170d1ce-d90c-41ee-8ae6-720aaca52803/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d8288a0edea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 5f6c56b507816fd602186a2a9d60a2757b2e40e042f2beabb452ddca228804fa

Formbook

Executable exe 6d8288a0edeabb4ce9889e7effa3983f1b300d49082e5eed5e8d9d256b4e2367

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5f6c56b507816fd602186a2a9d60a2757b2e40e042f2beabb452ddca228804fa
Cape
Cape
https://www.capesandbox.com/analysis/459235/
  
Dropped by
MD5 7bbc8c29e978d1f162dc3f51ea9b3b13

Comments