MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef
SHA3-384 hash:	4caea6a260574012af8e0a3067f5723a24878e177d04a69c31ad8a7846c4b609709defb40ef5cfbd82e11a4cd27d528b
SHA1 hash:	5776114b19f743d969d7b380d76df537b686e504
MD5 hash:	7477a7a0c380cdafbdb1b10025a1c514
humanhash:	magnesium-tango-twenty-mango
File name:	ReYeni makine sat?nalma sipari?i.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	820'224 bytes
First seen:	2023-08-09 17:39:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:MCBqpEO6YTeJl3elejFpQBo+hxED9uNCVn:MnpElJejQD9uN
Threatray	3'570 similar samples on MalwareBazaar
TLSH	T19605273C15296A8CF7A486FCB2744CFF17A56D6F80BBF9F3884DA4D306A97D04502662
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FormBook geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4c5cf232-d6f5-428e-a2ad-7a86304046f2

Verdict:

No threats detected

Analysis date:

2023-08-09 17:55:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19e79bcf-f2d9-4366-a3be-860f7219fc45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/441740/

Detection(s):

Win.Dropper.Malaz-9939293-0

Result

Verdict:

Malware

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed7748cb-017f-42e6-86d4-2a9a46af9e81

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1288828

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-08-09 17:40:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojn5leajhnezovm3kaber2fijxv33yj453eemca4pdt6ykdkidxq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Formbook

5165efed390a7710ab87e8256f51ec07dbc9b63e8cf55e104a9230530b813cb0

Formbook

5291498ba10bc71f5bb08fe5c67d085c24008589c09c6c28faf4dbf222ef5a3a

Formbook

63e437a647e0cd76c38f1e73b5f1d5aa54c8e6a7f26cd31bd0fae9b1994751e9

Formbook

7f8d1823d07c98a5ea6e9d2848faf940231df09568b4fee525f18ea59d6094bc

Formbook

8e1579332c108b91cf104ac63a80be9cabcd918086bcd27248e59467776fc863

Formbook

973afd04fd466b41ebe1b7a3cbdc5a90217f754f2637cc25718cfe899e1c1365

Formbook

a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc

Formbook

c930599e45ce9f8d2d1ffcce335e47b1beef8119dabef13eefe381927a4f6719

Formbook

cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22

Formbook

+ 3'560 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ct45 rat spyware stealer trojan

Link:

https://tria.ge/reports/230809-v8wldsea29/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

1324ef1d47933d10b993f88ecbba39139917f63b5bb491de253b07e3895b6dfc

MD5 hash:

52b6e08cc03c01d68bfa8016d62136f6

SHA1 hash:

110f300f6a6dd87039eea6b879e51e77116c7bfe

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/b261eba6-30d2-4c6d-9775-10f5809e5f04/

Parent samples :

d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a
9d9e8ec84f674a2484716075dd29db7677057598a3ef9b1d0f8dd4addfac24da
244be6e97ebec790a323a32fc4fe43dade04804c07ae684191c4d527f5312ad0
1434b391d1b8e5369395173e021878dee61f4269e7e758102c430bb047cb336b
725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef
9dfcc932a69f5fd8aa13068874c8c34a90ed3cc60e54be8bd7c2f815c4cf952b

SH256 hash:

504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804

MD5 hash:

74ed681a2d7aed1dae5627d4367474f8

SHA1 hash:

cad2df636d3f0710f69fdb18cbae03a332341dd3

Link:

https://www.unpac.me/results/b261eba6-30d2-4c6d-9775-10f5809e5f04/

SH256 hash:

e8da90de44a34db281419e3d09d687720959e3159e4693a0891f561bf129ca1e

MD5 hash:

bab406b1e24313b361e7f3472099d925

SHA1 hash:

873702614576416cd6c0e7c119ee4018815b2dde

Link:

https://www.unpac.me/results/b261eba6-30d2-4c6d-9775-10f5809e5f04/

SH256 hash:

4bc0541974fe00584a554a0ea43ec7b17ec1896158afba11af489aae14702a74

MD5 hash:

15123ce9106d171fc538d3ae045922ee

SHA1 hash:

7642e8cbef5108b91e178c6b30ef6ae45d8d4924

Link:

https://www.unpac.me/results/b261eba6-30d2-4c6d-9775-10f5809e5f04/

SH256 hash:

725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef

MD5 hash:

7477a7a0c380cdafbdb1b10025a1c514

SHA1 hash:

5776114b19f743d969d7b380d76df537b686e504

Link:

https://www.unpac.me/results/b261eba6-30d2-4c6d-9775-10f5809e5f04/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/725bd590093b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/725bd590093b4997559b500248e8a84debbde13ceec846081c78e7ec286a40ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/441740/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample