MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683
SHA3-384 hash:	783b6546d451ee2795c50bda59c32c5147eebfe80fc213afa796a23333727929f8a372f897942cb987829f977ef8d9b5
SHA1 hash:	cfc5eeb8267968c80d6fd3057bfcb70f372902c9
MD5 hash:	28b078fe06dd7cdd5fecc00a6f5b48df
humanhash:	spaghetti-fruit-table-low
File name:	Remittance_90523_03.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	692'736 bytes
First seen:	2024-02-13 13:16:21 UTC
Last seen:	2024-02-19 08:42:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:b1keQ5vzilt4LBim9UX021RCuhg2p/CHbhzgs0q+qhAMFJV1a9ADVAQE4ao:b1krincB1U3It24yrq+qO+JVrJv9
Threatray	849 similar samples on MalwareBazaar
TLSH	T172E422201A24E3A3C56917FC692322C623B723A753A8FB0ABF95149E4D73307B751672
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	ccba71ecccc071b2 (3 x AgentTesla, 3 x Formbook, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/475963/

Detection(s):

SecuriteInfo.com.Trojan.Siggen26.8227.14355.6811.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65cb6bd2721c476da6b2cb0b/reports/94eef54b-7518-4b20-831c-31249ac51286/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f46d7399-f34f-4959-a0e1-26a62d6d3372

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1391401

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2024-02-13 05:28:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pii4gxqxdg6zlqwtrghsru44efbwawdf2av27eq3yf4jyw76m2bq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2d9aa18c34940edf126de6ccfcba6bc40b6b8cb7728c458c791d50d19c1e0001

Formbook

421bc23fe947a02ce49679bf4048785e3d50f4b914c0de05119fd12888687623

Formbook

5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a

Formbook

7aa1c19a3c4e2ebcbe15bc2d98dd4fc4aa93fd2cb9130290d17bef4faf7c2fea

Formbook

7c3c5db1be920d65d9f3e1507ad053141b43d5a5cda9c77e01c0eeeeb9a0cf17

Formbook

acf572835899c617dde70bbdcee3eb6cb27582f6aad484e1d5a206c9ef9c2d14

Formbook

d948f80bf490f2dd3633d96c0c730b023984f67c45f225bf4c1e169085975293

Formbook

+ 839 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240213-qjdbasca32/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

db45c91f048f475e4fc2fdd60915c4360a9b54e7495427b4322c5033b114b2cb

MD5 hash:

51db6376d98468b832585c4e032f2d3a

SHA1 hash:

a8fa91d277a15bb73ee53c86b30d4f36309c4dc8

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

SH256 hash:

b3f2bcb08ae6ed77b51186dc73ac27afc31c9e3b175914fbc7e932a053024057

MD5 hash:

8edcf081ada9f28a2722afb40ac6e099

SHA1 hash:

9a1d6568a6063fccac7eef51a12cbdaa81b82262

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

SH256 hash:

971c821aa19832e04f1dd44b19cdb909d36d27be2f9e62edd10bf7887a43d15a

MD5 hash:

6d7a285502323918820b8513b5f33d75

SHA1 hash:

9633177bbb29c2563fec4a7dd381f4a278588437

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

SH256 hash:

8c69c6e93b1d2a3691f7b6fc64b06d5f2ab8090d69339f87eb38e7ab3df68e8c

MD5 hash:

2b586cf73bf57280713dab55eb28bc14

SHA1 hash:

68e61e2763119339813c5a527ead166a0e134cf8

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

SH256 hash:

fa4d6e5194b9756ad11ae32245d89458266715430252def03ebdc61c341a683f

MD5 hash:

24f20db2feb6ddb62cf948cbccd42c0d

SHA1 hash:

3c6f2dc3bcb4b9088152c9b449ce2c46fc9165c8

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

SH256 hash:

7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683

MD5 hash:

28b078fe06dd7cdd5fecc00a6f5b48df

SHA1 hash:

cfc5eeb8267968c80d6fd3057bfcb70f372902c9

Link:

https://www.unpac.me/results/7e9d04b0-e999-4ec9-86b9-fe61f2405fcd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7a11c35e1719/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 7a11c35e1719bd95c2d3898f28d39c2143605865d02baf921bc1789c5bfe6683

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/475963/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample