MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05
SHA3-384 hash: 8d32dd3b7b2bcdded3f0d0422dfbb338bd69d0626699dce20502696a2d8c1f4ad1174141642995e0c4abee837a160b6b
SHA1 hash: 46a46322a3bdc57eddf9fc56f4090e50d705abd3
MD5 hash: 0388d374cff9694d30c5c0de31296aa9
humanhash: black-uncle-skylark-maine
File name:rformulariodedirecci__ndedhl.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:345'088 bytes
First seen:2023-07-24 20:36:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:NaDeFpgekpxx2vmYIs246mJzouubnvytxPSi+4AGeJNOPd/BLtIAzGaLC04:NaiFpgTpxQvmSO3yt4ztGJd/BLtFzGvb
Threatray 3'557 similar samples on MalwareBazaar
TLSH T1FA74018C7A10B69FC597CD7A8D9C1C64AA616077031BE313A49366ED9A4D2CFCF061B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rformulariodedirecci__ndedhl.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-24 21:08:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4acbbd48-4352-4187-a1aa-a9eaaea31e68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431815/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.25483.14307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91e9a432-ea7e-46db-aa34-dc560a6e43e0
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1278691
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-24 20:37:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opczvtyq7sjiw4b5rcdauim6cnet3tsztekoyshftiwo53b35ycq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
042a79fca496efba98589c7115c620c116af2ef1e1308a9ab91f21026a5ccd43
Formbook
0c2e6d5acb82c3c9a5d9aebd50ea3982f10dd70eb516e639b4f8c12d6453c5c8
Formbook
213fbce6c1598d4cd9a54ec4008f6d531f317e81ed125a046ac1812ab8181f53
Formbook
2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644
Formbook
483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
Formbook
860942d3b0190341282f2ae2d76d65f0374698fc48852aeda79966130bd68216
Formbook
a2ef1bc9c883689ffa4c58c3f51b08aae0b09241be1ed6aeb854ef6f56d097dc
Formbook
aeb52b6f9b9f7b458048aa0eba6255840d1a90f4309f18c95acc0f3f4b972df3
Formbook
b9bdf17b0783f5b073ba007091604c0407e825b17ae8ae90bf53d2a2140341ba
Formbook
eea29ccf59fa6a6aa5a3c14360db6068144f14601d987ec37ea21a35cdac9430
Formbook
+ 3'547 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230724-zd42hagh47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
998c013075c467e13e9ecd8ed42fb7622bf8f9e80cb6466f00fa3264b632114f
MD5 hash:
5d0c63629d074dba81f820bdd2f12768
SHA1 hash:
1f1f02a2a8edb6d15860ff3ad0c14aa1f4b011e7
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7af7a72d-2715-4daf-a72f-8ae3b92d7285/
SH256 hash:
b0f76d9dc8af37182e399292a6eadf541c75656fbf255016ca717613d8d5983c
MD5 hash:
fc3171e0797528685539ebe8c0ca01ce
SHA1 hash:
038fe1d69d63538f456acbc1236101441dad99ff
Link:
https://www.unpac.me/results/7af7a72d-2715-4daf-a72f-8ae3b92d7285/
SH256 hash:
5c0937eac910784b16bc87e7e046e7b2273ff0eac28656cd632ddbd962b433d7
MD5 hash:
f09bb50ed355b25fb00647e2d04404cc
SHA1 hash:
185838c0b390cf7be608f5cc9df97e87a8880d8d
Link:
https://www.unpac.me/results/7af7a72d-2715-4daf-a72f-8ae3b92d7285/
SH256 hash:
73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05
MD5 hash:
0388d374cff9694d30c5c0de31296aa9
SHA1 hash:
46a46322a3bdc57eddf9fc56f4090e50d705abd3
Link:
https://www.unpac.me/results/7af7a72d-2715-4daf-a72f-8ae3b92d7285/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73c59acf10fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 73c59acf10fc928b703d88860a219e13493dce599914ec48e59a2ceeec3bee05

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/431815/

Comments