MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
SHA3-384 hash: 1d02641d7a7fd255864036ca827bd044d2459c512cb1be53bff5cddd0b0d04ea46205bb56574cc703bea6039dd9f4d22
SHA1 hash: be06d1f3924dc081c007e710e044a86700de5c3d
MD5 hash: 6be81113a8be4c9a34e9d8fd9b3dac56
humanhash: fruit-eighteen-north-india
File name:SecuriteInfo.com.Win32.TrojanX-gen.15089.21504
Download: download sample
Signature Formbook
Create hunting rule
File size:804'864 bytes
First seen:2023-05-04 17:38:45 UTC
Last seen:2023-05-13 22:57:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+e11KAbEEBEpmll+Zf/6w4mcaMtzXJvSvAiY5Z4nSAgWxU+ajbBMeU/dwsd:zPKcEEPlkRcaWJvSvZCuq+ajVMeU1ws
Threatray 2'806 similar samples on MalwareBazaar
TLSH T1CD05F12233B8BB95ECB683F82708A0016FB57D6167B5D6E84CC6E0CD5155B08FB60B67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
261
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.TrojanX-gen.15089.21504
Verdict:
Malicious activity
Analysis date:
2023-05-04 17:41:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72e02729-3a7b-48e5-9e76-db30bdce4b39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386587/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.25052.3033.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6453edb7961a21dc785cd9b9/reports/4d065767-7c67-4698-9c52-33c64cf4b2a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96547afe-8288-433d-b40f-31d3db9d1f14
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226409
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859372 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 04/05/2023 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 7 other signatures 2->77 10 nVVgIdTKmyHqmD.exe 5 2->10         started        13 SecuriteInfo.com.Win32.TrojanX-gen.15089.21504.exe 7 2->13         started        process3 file4 85 Multi AV Scanner detection for dropped file 10->85 87 Tries to detect virtualization through RDTSC time measurements 10->87 89 Injects a PE file into a foreign processes 10->89 16 nVVgIdTKmyHqmD.exe 10->16         started        19 schtasks.exe 1 10->19         started        47 C:\Users\user\AppData\...\nVVgIdTKmyHqmD.exe, PE32 13->47 dropped 49 C:\...\nVVgIdTKmyHqmD.exe:Zone.Identifier, ASCII 13->49 dropped 51 C:\Users\user\AppData\Local\...\tmp56C2.tmp, XML 13->51 dropped 53 SecuriteInfo.com.W...15089.21504.exe.log, ASCII 13->53 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 13->91 93 Adds a directory exclusion to Windows Defender 13->93 21 powershell.exe 21 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.TrojanX-gen.15089.21504.exe 13->25         started        27 SecuriteInfo.com.Win32.TrojanX-gen.15089.21504.exe 13->27         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 16->63 65 Maps a DLL or memory area into another process 16->65 67 Sample uses process hollowing technique 16->67 69 Queues an APC in another process (thread injection) 16->69 29 explorer.exe 1 1 16->29 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        process8 dnsIp9 57 www.internet-providers-45067.com 185.53.179.93, 49701, 80 TEAMINTERNET-ASDE Germany 29->57 59 dralexisdvm.com 15.197.142.173, 49700, 80 TANDEMUS United States 29->59 61 8 other IPs or domains 29->61 95 System process connects to network (likely due to code injection or exploit) 29->95 39 cscript.exe 12 29->39         started        signatures10 process11 dnsIp12 55 www.handgab.com 39->55 79 Modifies the context of a thread in another process (thread injection) 39->79 81 Maps a DLL or memory area into another process 39->81 83 Tries to detect virtualization through RDTSC time measurements 39->83 43 cmd.exe 39->43         started        signatures13 process14 process15 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 17:39:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okvwwih76xytqrigy6rzipb4r6otzyxmy6izp4fnqj2k4grbkd6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
Formbook
2d6c9ac070f5bb55d66de498da4a8c26d377eb79d7917d03af6d3608e350ac08
Formbook
33b5ccf1b3b48e22ab607320e0bb143ad0ac2a9770b0e385c0365366de472ceb
Formbook
7e17d20032413cfa6dc32271e7a386b32a4cc79744171f9f2d9b895444c5e110
Formbook
87ec8dcb44c20195f72ea0d6d2ac3572a9241bb1e0c7f770d8d13e65a4cf9155
Formbook
8a1f57853b44e3702f2758a4ad46225af7fa0a847ee22b0a9f190be5c062869b
Formbook
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Formbook
d40024a841668b3cb64cb894613ee64fb37288125d32ca3068007f70db30f1ed
Formbook
d9fcc1602122022a5c2ad597168eed6137a55b2356d767f5a877083c99989561
Formbook
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
Formbook
+ 2'796 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o17i rat spyware stealer trojan
Link:
https://tria.ge/reports/230504-v8ac6afh9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
ab3036f19998adea73263a39874391e8047cd2369ca062ef90326c7b46cdf069
MD5 hash:
d7fd54c77e6dc3ddcb7f0f442ec9f2d5
SHA1 hash:
b37657214b8a5fc14ff8e15722cdb6b86da1bd72
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
Parent samples :
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
7e17d20032413cfa6dc32271e7a386b32a4cc79744171f9f2d9b895444c5e110
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
a530b6b2224f5b81914f4e439b135a06e761d6587e1ea76eb069c7c51c3ca50d
cc9fd84fffa1811ef3177586d7c6aee88dc4dc5412fd658ee4bb36ff934eec01
338bce8dae0d4fe01a719210414e31861456fd8584853636e775ac4e1c83b453
fc52523013f9198bf95daa7b6f6a597b518273b54c50635784deee1e3c9dd991
cd94bb8956e12aa67943b6bb657f17d2680b848b36f8726283a2037d1d588461
0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7
baf6e6d6d8347f5151d3c260ca4d72694f5339b558294409cb7c4871616d8188
ebaa46d302bc220922a76189a85e48f24587ccab47f674d37b02cf4e605c4755
SH256 hash:
ef7122a98eca35c197740b6d6e1905c446a9d65fd1580f8fb3274d85151e5245
MD5 hash:
f4ff5b1b1dc7d2cc8c440f83bce82f8b
SHA1 hash:
e15b4dd8354139fbfefc4c63bfde8311da9f226f
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
SH256 hash:
45d8a670511ec7281229afddda021dd2b80307cbbbb653265b596b52efa86217
MD5 hash:
68fd6491aaf74134873ab27f3f8ced2a
SHA1 hash:
c04d1b7d9de81baffd607a30f468bfff2bd738ca
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
SH256 hash:
184e258989ff0f7f70e541e56fd08188f0b52a259bd4a4a15b4c2c262ab5f0bc
MD5 hash:
4a748cef261ab168f80c667d6c265829
SHA1 hash:
199a07d7a9281af5b1e553920e5cb2fc70580ebb
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
SH256 hash:
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
MD5 hash:
6be81113a8be4c9a34e9d8fd9b3dac56
SHA1 hash:
be06d1f3924dc081c007e710e044a86700de5c3d
Link:
https://www.unpac.me/results/797627c9-f516-4947-aa6e-c7c51150d558/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72ab6b20fff5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386587/

Comments