MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e47d662e6f00f4c8b160545fc27354f3e2fb8955aa1c4de6303f44a80b6015c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	6e47d662e6f00f4c8b160545fc27354f3e2fb8955aa1c4de6303f44a80b6015c
SHA3-384 hash:	995abe3e2d8e0084c5f6b0470b8b557c8ccbd71041d14f9d6e625c72abd057846dfabf9c9840a6edead75218fef0ed2f
SHA1 hash:	b40096ec2b4cb7eab69e9ddd52a2e3fafe3ac38e
MD5 hash:	7f2a62f53478c50050b4ef97ea2eb99e
humanhash:	six-london-texas-quebec
File name:	SecuriteInfo.com.Variant.Barys.385745.19160.19275
Download:	download sample
Signature	Formbook Create hunting rule
File size:	692'224 bytes
First seen:	2023-05-12 11:34:37 UTC
Last seen:	2023-05-15 14:43:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:alpwhh2Y4YZU/zq8LMWl6ac/iHBfLV4oBHiJIFKEffRMEBt9rj9/rdp8iBy/c0lt:azwhh2Rq8LTEac6tXBHiJEK6fmEv9
Threatray	1'759 similar samples on MalwareBazaar
TLSH	T184E4D0DCB274799FC923CDBE8DA78C846AA024BA5B0BD1335503149CDE4E95BCE041FA
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Barys.385745.19160.19275

Verdict:

Suspicious activity

Analysis date:

2023-05-12 11:37:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4a02590e-c794-45f8-a29c-b2ad00fa43c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/388708/

Detection(s):

SecuriteInfo.com.Variant.Barys.385745.19160.19275.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/645e24688723e91f5525deb9/reports/7193b5d9-897e-40cb-9a2a-aedc92a5cea4/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/6e47d662e6f00f4c8b160545fc27354f3e2fb8955aa1c4de6303f44a80b6015c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/60ea7b6f-c505-456b-ad6d-9f32d576ea27

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1231545

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e47d662e6f00f4c8b160545fc27354f3e2fb8955aa1c4de6303f44a80b6015c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-12 11:35:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nzd5myxg6ahuzcywavc7yjzvj47c7oevlkq4jxtdap2evafwafoa._file

Verdict:

malicious

Label(s):

formbook

Formbook

030026bf6983702ec4865754d69d48af120bf0dea165ef7ef22428422412fff4

Formbook

1f3e2e4828e5254eb321e357600476932a047e8f1083ce39d4f2f919b25314b0

Formbook

4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12

Formbook

5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15

Formbook

8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3

Formbook

9d53f6d13b02326eca5357286c0852c653dd17f8459eb30dd0086fe2ef2f9049

Formbook

a0944a8143c9b1520e9d4c27ba2a6699eafc3352c7fecee0039ab0f410b047ff

Formbook

bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

Formbook

c11514fce0720af2328f702e0a42aaea3b9d4ef635de46d638a9ca0629e5f75d

Formbook

+ 1'749 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230512-npz15sch54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Gathering data

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6e47d662e6f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/388708/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample