MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b
SHA3-384 hash: e82fc722f72aabdf340032001e9c00bccff7193b2d304345b7927e2b5cb627941e159a32f4fd55c3f4b0c8fdea707300
SHA1 hash: dd8886555f629e13b8c123fb93faa35d6bf4c7de
MD5 hash: 9b3e3201e17442a58e6ff7de9a19f2a8
humanhash: wisconsin-robert-fruit-mango
File name:9b3e3201e17442a58e6ff7de9a19f2a8
Download: download sample
Signature Formbook
Create hunting rule
File size:259'584 bytes
First seen:2023-07-26 06:50:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xoJYB+N/DZSwpnxiBh2CSTaR0VvVbfJx4rSvUs:WJo+N/5UBsQ0Bx4rSc
Threatray 1'215 similar samples on MalwareBazaar
TLSH T13C44E50776459AE0C3486771C3E7022093B5D6D776F3EA8A3E8A12E50D067A9BC496CF
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b3e3201e17442a58e6ff7de9a19f2a8
Verdict:
Malicious activity
Analysis date:
2023-07-26 06:53:10 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/27130a12-38da-4c04-a1db-4972bd7c01c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433360/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.14116.27352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbae5d53-357a-4677-91b9-e273c02e58fa
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1279858
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b/
Threat name:
ByteCode-MSIL.Backdoor.Ratenjay
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 23:33:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nz2fc43srttnq7mcxlnfcki6im642x3sizoimegoeat2agcbfgnq._file
Verdict:
malicious
Similar samples:
21d213c4a54955d404e6a82297217a66bf52cead08e73c5411637b8daf70fd73
Formbook
3eca25fbe03b2a9521916ffa9dfb0e31950776af9cbf528fdf693fedba978b41
Formbook
5d00a935082f0319f6d2d74c18a641fdc3cdac4401b6ad5bb8d48f62019e686f
Formbook
841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831
Formbook
9d668aa6479e36725aa0803a16cde42939599516b9d58e40fc98b2b03d2e74ea
Formbook
a72a4e1444e8a68185d3dd2fd9d47d3507976616f44aeb46c4b9384134a11fb0
Formbook
b0e033889328ade7951390d7cf8f4e5558a12aed2d5042596e9f76d3286f5de5
Formbook
+ 1'205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230726-hmg5naad5s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b
MD5 hash:
9b3e3201e17442a58e6ff7de9a19f2a8
SHA1 hash:
dd8886555f629e13b8c123fb93faa35d6bf4c7de
Link:
https://www.unpac.me/results/628e6061-364c-4e7c-bb6e-a0050b1fe074/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6e745173728ce6d87d82bada51291e433dcd5f72465c8610ce2027a01841299b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2690143/
Cape
Cape
https://www.capesandbox.com/analysis/433360/

Comments


Avatar
zbet commented on 2023-07-26 06:50:06 UTC

url : hxxp://5.42.92.67/lend/xvid123456.exe