MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 20

Intelligence 20 IOCs YARA 8 File information Comments

SHA256 hash:	8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f
SHA3-384 hash:	6920b19120bab656d0c9308af628722970e03abbb2295fc69440860227334f1ab01777b5134f64b6ddace575554707e6
SHA1 hash:	91148974cf0d66aaac1648b64404b9c24d141d3c
MD5 hash:	0fa31cdedfad8f0dd2a1b1b6c0f1b957
humanhash:	lemon-foxtrot-georgia-queen
File name:	SecuriteInfo.com.Win32.CrypterX-gen.29279.29610
Download:	download sample
Signature	Formbook Create hunting rule
File size:	712'200 bytes
First seen:	2024-09-02 04:17:32 UTC
Last seen:	2024-09-02 07:06:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:9GZKzvNUOBKYvI8hGayiRMhBcRiPNWZIBRR4LPJiyIA/ZMDPwffC0UNj6eWf1yrw:AOOyGPiRMhBciPHrRqJiyIZPwffC00O5
Threatray	3'313 similar samples on MalwareBazaar
TLSH	T19BE401981B18EA02CA506B755EB0F1B56B782ED9BC02D7475FECBEEBB871F104D40252
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	00c4fce4d4dcc400 (3 x SnakeKeylogger, 3 x AgentTesla, 3 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

364

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Win32.CrypterX-gen.29279.29610

Verdict:

Malicious activity

Analysis date:

2024-09-02 04:19:42 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/342324e5-d23c-4864-8dc0-ab9f8c34ef65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.29279.29610.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d53c7fa0c486d2f793fbdc

Tags:

Encryption Execution Static Stealth Formbook

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook overlay packed

Link:

https://www.filescan.io/uploads/66d53c7b8a851f90c65b4b19/reports/405b616b-0809-4e46-9a0e-731ee0f77b03/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6dd0b36b-93a5-4a55-8cee-34cc5011649c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1502614

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2024-09-02 04:18:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qfahdadv7m6pkxqjr5upvdp4oubcuix3mwdbcubyqc2mbrtu24pq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1b26a745788fd6ad7ae9ac63cf5bcfd806d66b63d17541ddde02589fe10184b5

Formbook

7565e6753a23fa9393cd3a32b1f65153658a48d8a289a2571fd9285f6628ac65

Formbook

795a83d84b04c245a8b0ad9221ea20a4635ad6654f22d533f499a5523ee2fe71

Formbook

8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f

Formbook

d00473faeb52860f46c2f850f4bda73473b569a3ce79974b909c4203b63dcf95

Formbook

eeabc02c0c8b1e32a032f2573a61e8154570f6d9d9485bf40207328bd14447cf

Formbook

+ 3'303 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m49z discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/240902-ewybfssdra/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1d8f06bf-98cd-4063-a7f2-9a53c3bc92b2

Unpacked files

SH256 hash:

cc21fb5176f80fe8675dc53593d7d5f16c9281b8cbd4c27d57efec1a0cf8c7ca

MD5 hash:

ab19ef006b00391a9f0a2bcd6504bdf1

SHA1 hash:

11bb9760e7f3ee292467327ae5a2c3f22748f4a4

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/10e86ab0-9064-4ec5-83b9-8a71caf14d2d/

Parent samples :

1ac77b641f98af7d2d5f052af2721c8154b8c922be31ea7914ea76bd8c6d17c1
d00473faeb52860f46c2f850f4bda73473b569a3ce79974b909c4203b63dcf95
eeabc02c0c8b1e32a032f2573a61e8154570f6d9d9485bf40207328bd14447cf
8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f
c8500adf5318aa42e5cfe9d6efe18d328538a6d8b36765d68820d2b99c3c9626
4a16f87ede74f8f5cf4af54e78a69380979b1147a8302cd371d50947c4a0f0fe
2ba240529791fea8319f1ac0779d58b0bdfc7c9d83abca2936e3637f77a3da3a
9adb74d4a3e30d322e070b91da3865ae8c7b71dd0f4ebce22538d0ef73a55264

SH256 hash:

c53fec9c326166a194d570d84f648521f4e07747d3dc741aae902b36d2c600bb

MD5 hash:

1f2c3922e065b218274add911452a4b7

SHA1 hash:

e696639cb23b0bf46488f483d8f545a525afade9

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/10e86ab0-9064-4ec5-83b9-8a71caf14d2d/

SH256 hash:

8f3e8fb00b864b774ba1ff591b4d2f29d04cf4fea45e179f39309b984a92093c

MD5 hash:

d0223abc16917fd6ab9a529f597cc431

SHA1 hash:

6de268dcad66b83e126c39b7cb8aaec020d64dcb

Link:

https://www.unpac.me/results/10e86ab0-9064-4ec5-83b9-8a71caf14d2d/

SH256 hash:

8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f

MD5 hash:

0fa31cdedfad8f0dd2a1b1b6c0f1b957

SHA1 hash:

91148974cf0d66aaac1648b64404b9c24d141d3c

Link:

https://www.unpac.me/results/10e86ab0-9064-4ec5-83b9-8a71caf14d2d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8140718075fb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample