MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835
SHA3-384 hash:	9e0b64a87ef9faaf7a8d9fe5c53a79aa9755946fdd5a517349ab2bb5399370b498ae245b5c3da46298f65072778ef4e7
SHA1 hash:	6e593d6630a025618f598cbc41c77caec5147050
MD5 hash:	810a2d35ba7426715aae38637d1135c4
humanhash:	pip-seventeen-skylark-shade
File name:	SecuriteInfo.com.Variant.Strictor.267077.6571.7111
Download:	download sample
Signature	Formbook Create hunting rule
File size:	630'272 bytes
First seen:	2022-08-02 05:44:39 UTC
Last seen:	2022-08-02 08:11:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:DAIg6SKlpxf4WT54A8ILyMp6enrh93Wa1Gs2IrOxTkyG29ZJNDq:bLlpxfgzDw6I97ToTy29
TLSH	T1FBD4F19122DA4B07E7364BF2EC1190405FB56D6B11A1E3A44EC4FAEBD1F6FA10F44A4B
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0f47090c0c0a470f (23 x AgentTesla, 5 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/295742/

Detection(s):

SecuriteInfo.com.Variant.Strictor.267077.6571.7111.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62e8ba1e9ca9b9bfcbe47939/reports/9a8aaf64-64c2-457c-9c0c-382954a1311c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89f6e63a-4ac1-4a28-a3b9-6694465cd56d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1044613

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-02 05:45:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojjtuzdytdp675wupy2yh72wqccoe2tyvrojjwtulajzc6n6ta2q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220802-gfqyjscggn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

2637fa9ddef6f5a3b87d5a2733e82f5c5239b41e4a241c5dcbc54d9a929a9fe4

MD5 hash:

897354e566ffcb6f414c52b451b0c3f5

SHA1 hash:

8c91a352738117cfe8c4a7e9293c723dcda80026

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

Parent samples :

6ecaea9142fce685a1bc8ad9a44526eabaff947329fafc70057840268c74e1fa
9767f825c671b059a98b746711083eac334dc34ae03358bbd90806e3727e7843
72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835
1d7944caa07fadaf9e6168ed67911df375d6ea59f834e40dbf4bc9fa8735ffee
1b40cc7a99e0c4e22422b5c78c8a32496be11159c5fbb49e525cbd4c0e43a916
4bd1c316cc3611eba483fd1045bf911bd94de0d335013037036fb42c6b927eff
64854ca245c55fd270675076e620358f3d57fe192f588e96102f844f9e2db613
aec56ad2e9bdb0e014c8527622b44342898779ebfce4c236ecba09e46a1c9154
fa1002e726a577d7783f6fd053b232d5e5fc5fd0d9f255fa113b6b5e64919ae6
003af228050266c0c3eb0d4544fb207fc770c9b075940dd1c4b670445bd4bb8e
9a111f3e916ebab625c588f0c3ebc3cac7aa1ed86f7dedc92dd5cf640683b98b

SH256 hash:

1f34ad81707227077c7ed20d5abf56edc098f6c2ab7c90b3d8f0017f58b458ec

MD5 hash:

22e7e7521178024fd0914a9bb8117fbf

SHA1 hash:

7c8762baf249d221cba9bcb4b94336300943e2e0

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

SH256 hash:

cd5f395b1800b2f7821f4583a8d7143599a278e952975dc74230c26e98a1699a

MD5 hash:

ff93d94881cf2d7184aa260aaee145a3

SHA1 hash:

8fed70a7d71f69b7831ae28d3e0467d83873f1d7

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

SH256 hash:

a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66

MD5 hash:

228ff1006be83039e4de2b5e0475a5b0

SHA1 hash:

3adef5cc343067fa6b9d5e712114dc619c867a72

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

SH256 hash:

72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835

MD5 hash:

810a2d35ba7426715aae38637d1135c4

SHA1 hash:

6e593d6630a025618f598cbc41c77caec5147050

Link:

https://www.unpac.me/results/fb4c6a6c-354d-4fbc-a295-a0c443e35802/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/72533a647898dfeff6d47e3583ff568084e26a78ac5c94da7458139179be9835

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295742/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample