MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
SHA3-384 hash: 58fb50d7b648ff9e41bdbf05d94d7bb06a4835ccdaff60f3166212574839fbd909e8b74b61867179017bd2721021cf15
SHA1 hash: 1cbb11301bd906cbcfbb8608ea2d7a26768697ed
MD5 hash: a32d4a70cf3fbddd09930cbb2b63f5e9
humanhash: mexico-lemon-salami-november
File name:3. PI TD210408S4MG01 LB202100037.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2023-12-05 07:07:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:d1U9BqmycgiH75BsUc6oqPqSuQyyjYDlo8gK:du9Bqmycr7JvPqSuQyyQBg
Threatray 1'047 similar samples on MalwareBazaar
TLSH T14E05F159BABF1B2BC0366BF8053052305BFDE956B06FD64A8EC364DFA464F305941A23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ccccce4e0f8ccc0 (6 x AgentTesla, 4 x AsyncRAT, 2 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462521/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656ecc5581a3a8ec606cc457/reports/aa400c63-5276-4edc-b91a-a9fa5368a2c1/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adbce5ca-e85a-4149-96cb-2da6478ea2f9
Result
Threat name:
FormBook, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353743
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 17:29:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqwxcycbmkyfgbxfoajzjak3xfyo7i42s54mupghuh3gc6cfpavq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
21dc047f9ab94825e801f1459225100c58e688396b570318cc50fe8f53dfc66b
Formbook
3c4cea2018a1d222aef402eff14de46b325024c6d775611817a9723d385f62ed
Formbook
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
Formbook
742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
Formbook
89525d55fd73880fae8d04629ee885c441a497fb091eb73e204c91d9d03ddb05
Formbook
9b85d318cfad613f6da6b2264b0b09a6f980def72e6c3c763e0373f005454aff
Formbook
a5bbf13f56f953eb2313a2b3d2c0c06d14bc1455a06f01ec91a7f4e2e3757297
Formbook
e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
Formbook
+ 1'037 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231205-hx8elahf5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
7bb70d3d4bc68aa15e8a93d035dc943e4860b944bba5767c8051738d6ceac24b
MD5 hash:
b3f6e6eb60ebf84ae5ad1f9926ab3ce9
SHA1 hash:
6c21c05971f62955fd3fbc2697c0407647224ee9
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
Parent samples :
02bc9f274f7ba4ec93358bfa71c5b658727b414e7e6301c50fac619227a78327
151eacb26f65117d4a4abb8473c8650edd42b079a662f7dc4c4ebdd966045d1c
ce3a332225a10d659e26a1775a2e002ce62d470c9f02c47bbbf69767c7e2ffa9
571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d
2692c5fb278a85db144c8121617ab7909a54281e5161b8bff920bd485ea4eccf
0b7841ea5b8040d0a636dfb94f374666baec80ee31307dc156c947b287d8f1cc
a9e9a756fe59beb18eb1cdfceee2b2c5c9246dfdad6dc05a6a9a810c479e2516
89525d55fd73880fae8d04629ee885c441a497fb091eb73e204c91d9d03ddb05
742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
SH256 hash:
ee8044463d637bca6ee6967b5ab0ab04d28db515b94e1e09eb931f69d4bb4d22
MD5 hash:
bf2ac64a9f5788fbb6acd96d2a3391d5
SHA1 hash:
65a983320eee0701a12db8b79729d99ff2e64d17
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
SH256 hash:
629f261a8815344408632b70bfc43457442e1cb030c52c70c33f2dc7f98bbd7b
MD5 hash:
84a7ffb650fed6293ebbb067168a4c6f
SHA1 hash:
ba4ac804a14c5b4d7e609cd4bbf40fcac1efeb78
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
SH256 hash:
59c15353394e2a3ed293c8194a0a40b1c29822ec2caec7e0e9213b9e2a7b3e24
MD5 hash:
2e652bdb9c25b7bbc36bcba66b3a5233
SHA1 hash:
77af9e048e1bb927c102bbf531f21af295a45072
Detections:
INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
SH256 hash:
b6f95315ebc5c5b4f3e4202f85c8b5f584bdd5f6f2e2b8534f773a9644ed87e1
MD5 hash:
878d0961bc7feffd1a9ffa88164bd925
SHA1 hash:
53a7fce26138591b1f7a9f46638920f1349394bf
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
SH256 hash:
742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b
MD5 hash:
a32d4a70cf3fbddd09930cbb2b63f5e9
SHA1 hash:
1cbb11301bd906cbcfbb8608ea2d7a26768697ed
Link:
https://www.unpac.me/results/280e31fd-e8cf-4aaf-a094-215280012901/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/742d71604162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 742d71604162b05306e5701394815bb970efa39a9778ca3cc7a1f6617845782b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462521/

Comments