MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf
SHA3-384 hash:	d2a740604ef8fd33bb908b325eceee33a00030692e9e84e8f66cf00b5b576e82fe2e862f3770529860453c1a1ed7d781
SHA1 hash:	6b9eb66cedd25665627c095b40d41913447ca60b
MD5 hash:	384c1108356687200fa75e23c9880279
humanhash:	ink-march-berlin-tennessee
File name:	SecuriteInfo.com.Win32.PWSX-gen.15485.10619
Download:	download sample
Signature	Formbook Create hunting rule
File size:	714'752 bytes
First seen:	2022-11-24 05:41:29 UTC
Last seen:	2022-11-24 10:22:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:SJRgh/PsZ1DX/VDJtmZo6+qLCON4WI1GtpRZF/R1Y3U7t7E:sRgh/Pomxzmc4XAFc7
TLSH	T10DE407CB2F300EC4DB5F34715D8D1B8856523DA149F49CF22B75AA782D468BFA69223C
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.15485.10619

Verdict:

Suspicious activity

Analysis date:

2022-11-24 05:44:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/94641858-d7d4-4d74-aef7-a140b8fe9189

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337929/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.15485.10619.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed phishing

Link:

https://www.filescan.io/uploads/637f042b536377388865bd55/reports/e203e625-5820-4b9c-b6e4-53b4c58ab098/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0543e301-8d49-4b47-8301-376ed59c3dc3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1120299

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-24 04:09:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=prdqi56dff434all77ey7bq2zqejqynguk5acwxnoplws52doc7q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m5oe rat spyware stealer trojan

Link:

https://tria.ge/reports/221124-gd1d7scd64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/33d261a6-b9d5-4d44-a1f9-224404a6c4d6

Unpacked files

SH256 hash:

1e050e7b9dbeaeef5a13fd50f97d96dc6a7bf16c5977955750f5af8c18bd6a99

MD5 hash:

1e8d6d450d4d29021a1492aa95936706

SHA1 hash:

843c7823b2bf5b08745cc4070b6baaf0e77d343b

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

Parent samples :

90212e18e6b4b235bbb6f4083bd0a2c491e0be12edc600199eb0ed0839d9a554
7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf
4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529
937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603
05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b
e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4

SH256 hash:

9710dc374fe631ea03575f6159156c1a105b2da641af25593c016327a0b5691c

MD5 hash:

e0e19eb3bb4dc912f4ad29c31d3a35f7

SHA1 hash:

36ae39734e7d6475e92387f05a184daabee1fb40

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

44628ffb6a90ef5b7ba68bebd3d632386a65399aa752116997dd849df4f42d37

MD5 hash:

68f69e66f277e7b2a9824abd3054dc7f

SHA1 hash:

6f09980af4e3f222e23976fdb0d1789086547dc6

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

28b186483c9674372111e43a34ce05a8645dfb7f7669507c94c6de335d3d97ed

MD5 hash:

0422b85445b0f8fd4df2cc16f18a56b5

SHA1 hash:

994233bb4b80f5240850ec76980a3a83561440ad

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

92562a25cda1b53b45b5eb4196b0f4d9d11e4bcd04f04accfd6821ba048cf339

MD5 hash:

4669eb77bed38631dc2666b13d45673f

SHA1 hash:

83b7b4a3ad0e354a5916ff817a6fd93a2f8f3399

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f

MD5 hash:

91fed5db1afcdf48e0cd6d4058a013ba

SHA1 hash:

3717b3346e25d3f66f00626ad1a771d8655f485f

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52

MD5 hash:

1f2a6c02dcf9aa00a28a5039fb5b8ce0

SHA1 hash:

1ef480867d39b98368af7586a8e6ba38c0c3893a

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

SH256 hash:

7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf

MD5 hash:

384c1108356687200fa75e23c9880279

SHA1 hash:

6b9eb66cedd25665627c095b40d41913447ca60b

Link:

https://www.unpac.me/results/a6a8edf9-1535-43a5-a641-88015fd0294f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample