MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
SHA3-384 hash:	5e4c49271f31d4f0adc6458cffff9b4608815eb4056d8541770d07912be8a701ed6ee0c2959ff1230d7857ef9dae8af9
SHA1 hash:	2c26bdc22b28de2d56998077604e4e080005edcd
MD5 hash:	c83491ae6c16257a12668ff5e3cd8964
humanhash:	foxtrot-chicken-stream-april
File name:	SecuriteInfo.com.PWSX-gen.8605.16456
Download:	download sample
Signature	Formbook Create hunting rule
File size:	835'584 bytes
First seen:	2023-01-18 13:28:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:QOTlHnu0b+NoexY/VnG4hI7IeZs07D5/QEZpfkLNLn1OT1J8pP6RdL9m:QOTlH3+NNx8VGJ7tbbZpf/1vRr
TLSH	T13E058C81567B83E6C4BA49741438E93426A15CD18B6CB13ABDC6BD7BBCFA34F0099713
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.PWSX-gen.8605.16456

Verdict:

Suspicious activity

Analysis date:

2023-01-18 13:31:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ae71832e-0fb1-4a79-8f43-e0af26d2f911

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/354168/

Detection(s):

SecuriteInfo.com.PWSX-gen.8605.16456.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

75%

Tags:

packed

Link:

https://www.filescan.io/uploads/63c7f420194eb6a26804f297/reports/75077604-848e-4153-b1db-5a29ca95747b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50fceb89-491e-43f9-993d-4348d3fd07e8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1153978

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2023-01-18 09:11:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 25 (68.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ol7eq5oommou7fk6hkenkavzggwp7qzdk5wpjklc4onmtiatmica._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230118-qq8qsaec31/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3

MD5 hash:

b23ff9e28cdfc56d60a68f42b346fc05

SHA1 hash:

e4eb037c7732ab9b73d59b66274816ae605dc3ee

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

Parent samples :

9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176

SH256 hash:

0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1

MD5 hash:

dac31c8bc4e4a583f6571778e0cf57e9

SHA1 hash:

1a104ea41ecf0459fb8f5878182b5b1e48c4897d

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

SH256 hash:

9f75bfb67da98cefeb325bf89be2ebf0b235dabbe8617d9e23e117e03e4cf07e

MD5 hash:

babf1779f37d62b3f1b56622cd680ec2

SHA1 hash:

f340b46cf13975e4a083a621336d3ccf630e66f2

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

SH256 hash:

3a83a208b355af559e72c150e32162b159b24488fa0953e2279062733ef3f4ee

MD5 hash:

a73804a1d403309eea37e18052f36497

SHA1 hash:

b964bd7d899512058243b715dcad87872c4d0e30

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

SH256 hash:

caf7c650903664b5e4806a9c1477adde3d9826b3f98ad4c1fcfc6c57d056c99f

MD5 hash:

c6af2370abf6e2373bd88fe3177a40c9

SHA1 hash:

9dc0247ca07ab05a6cd6f032a4d7e27136dfc0bf

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

SH256 hash:

ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c

MD5 hash:

77ab42f4bbbf4565846eb8953192d71f

SHA1 hash:

3c662c756cc31867c0473716a74e777a65ced550

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

SH256 hash:

72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204

MD5 hash:

c83491ae6c16257a12668ff5e3cd8964

SHA1 hash:

2c26bdc22b28de2d56998077604e4e080005edcd

Link:

https://www.unpac.me/results/335c97cf-9b7d-4621-95d9-ae0747bd878a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/72fe4875ce63/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/354168/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample