MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 21 File information Comments

SHA256 hash:	76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977
SHA3-384 hash:	b2489b54e81353e79c36837b78135ef06999eeb962b19d1752838c039c77d77e8996258b4b388c47e005667c60dadb0c
SHA1 hash:	78424f07e9a07b41322a2a91fa71a7db42a8dfd6
MD5 hash:	bf78f7d9bb46ae5314ec7b6d9e651b23
humanhash:	winner-victor-helium-river
File name:	TT Invoice copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	717'312 bytes
First seen:	2024-04-16 12:09:36 UTC
Last seen:	2024-04-16 12:28:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:pCazT37rXbgicYSDZQcwGTjM5ucgZgvZ3f3bIq/bVt3zA8mH:pFXbgicYO3DToeq3f3bN3cN
Threatray	644 similar samples on MalwareBazaar
TLSH	T1F7E41286B7ABCD96D09C5236C1D300040370974BB573D74B7BC9225DAE827EA8989F9F
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	e9e098ae9aba8ab2 (12 x AgentTesla, 2 x Formbook, 1 x DarkCloud)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977.exe

Verdict:

Malicious activity

Analysis date:

2024-04-16 12:11:12 UTC

Tags:

evasion stealer agenttesla

Link:

https://app.any.run/tasks/f1bf9f96-7681-4613-9b7e-04f64935fc99

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Sending a custom TCP request

Moving a file to the Program Files subdirectory

Replacing files

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade net_reactor packed packed

Link:

https://www.filescan.io/uploads/661e6a9e238e3ee25c58a8d4/reports/f31357f8-3179-4c97-acc2-54cd96c9ef6f/overview

Verdict:

Malicious

Labled as:

MSIL.Bladabindi.Generic

Link:

https://www.hybrid-analysis.com/sample/76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fea13cfc-d79d-40b5-bd93-5ddfc8628d0f

Result

Threat name:

AgentTesla, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1426712

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2024-04-15 22:54:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oybd5zrnwonv63ttajd4m52jjvu6vvsgpyws2mj3ud32q7445f3q._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Formbook

522df31fa6822a48a743918cc4371daaa6ca5aade2713ddf6e4a7726c78d54a7

Formbook

8ae053d9300b897c0009559407842f893ca81461f707172cc42a324436839a56

Formbook

9bb6d4c861ecd64a1b4df7e1335eb5e4f3922aaf2e9f7ca8d9a608f49fd5787e

Formbook

b5126fd0fbb2ecd8fb2b32b606a4e8ab867bc0758e146d14c88440c1ac9c8f60

Formbook

+ 634 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240416-pb1wyshh88/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e9c028ecb36a6fb2e3a9f2ce8e58fa444649dd3c47039765cca1967dcc99ef3b

MD5 hash:

65e87dc385029fc40a1d83797b7fbbae

SHA1 hash:

96ee40ce767bf100c7f5c7eb38eda137a9ecd6e5

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/0b0080c0-88fe-4f40-9d0a-90706c1e3cd5/

Parent samples :

a0bf1e896eb05794adf5797b217f280b6dde3e75ec0223232ea00731b88d3194
80ad1f1f7b52cc8ca19175dc6a1d825843977adf22cdc563464a772efd4ceb2e
7df532109f62b797fafb07b9250ac95635b332902108e9f6733909e2e27d23ec
1adc29f30b30e301acefe1b46bbbd7a4f3a76c3708ab842199e95f8f5f053244
6f58a874d38b7f49e2cf380f4cbf7bf3c6367b9d8ea4bca7dd81f83a3965e81b
bb6a4b5aab97593c346510868f58e2a8a84714d60ca7136580daf87ce2dddf18
c4e8c058d4f4a9976ca89a275963e6c4e2b3a2a7e90ad2dd095e173c2f5859bf
24798002b81be4c9b37539e1abea61cccb014cbd427fe1a27d6822e1ffedc7d9
a433dfdb99b293b73898ac05be0fbf6baa9d79976655b0c51ba5a5a0066a2632
f19a4c4d5dd4120eb5871a858dc7c3042f9e34e20d755602f80bfba034c34ee4
29c3845ba540fbe8288c0d4c2f4ab65ec9d0ef646f9df8b684a64f5df60bf3ea
b2e2738e3a2c2553a1318c454330948cf4c14f2f1b07b64e4a0689aefb4c4c88
d3664b1a15f1e037188acd5e5b01c6ce160a1322d40f48593917632dc4404455
923a51c8fc40e0e02a4ca807ed7cd5042f1e59e52abea20c44bf88f7f7b78d6e
76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977
b81530cca77b78402585d96bcfc8e417aa86dd53ac1966601ce8c32bbf517cc3
0cfbe133465059e9d21adb0ee0bcf53ecb2f3459bc258b9a78c6a56cfbf15f27

SH256 hash:

9711f205acf4666c8f9d24c5f53602d5d167f1ae84301b5d3f215ab2e4711222

MD5 hash:

9fc2f97dafe98bf11216e9b4a0251875

SHA1 hash:

8d3cd16af6a4d4a51fc4e8768e7c342f48d8706c

Link:

https://www.unpac.me/results/0b0080c0-88fe-4f40-9d0a-90706c1e3cd5/

SH256 hash:

fd1ecc110c0133a6f1930ad125775ff62f9f93b553b59c075216e73a741526fb

MD5 hash:

8c024b7fa0417a269a8dbf60612275b4

SHA1 hash:

74740bd42df5423238e72ee1292757f35c986fa6

Link:

https://www.unpac.me/results/0b0080c0-88fe-4f40-9d0a-90706c1e3cd5/

SH256 hash:

5a9e64482afd6406319b956396c12b8e165f2d2e95ecda530bbbcd436e52f6e2

MD5 hash:

e7cd8fd81000b26f810afc96c537be95

SHA1 hash:

2959baf46a5d0c671530fc5f2a1e34a7eed6958f

Link:

https://www.unpac.me/results/0b0080c0-88fe-4f40-9d0a-90706c1e3cd5/

SH256 hash:

76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977

MD5 hash:

bf78f7d9bb46ae5314ec7b6d9e651b23

SHA1 hash:

78424f07e9a07b41322a2a91fa71a7db42a8dfd6

Link:

https://www.unpac.me/results/0b0080c0-88fe-4f40-9d0a-90706c1e3cd5/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/76023ee62db3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample