MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909
SHA3-384 hash: 713589d5c1c3d8f25aaec45f5cc5071b4db66497af4a2b0485305e3f3955d694ae3140105581311cae87966e8bbc9625
SHA1 hash: c7502270b45198a39a617de2ca5082e5d9308a02
MD5 hash: 52299a26c9143bd246e0b9daf6d0788c
humanhash: moon-romeo-single-yankee
File name:SecuriteInfo.com.Win32.PWSX-gen.7407.19798
Download: download sample
Signature Formbook
Create hunting rule
File size:615'936 bytes
First seen:2023-08-17 06:32:11 UTC
Last seen:2023-08-17 07:27:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:WxFtTqDl+C7W6lkpRv/9MKBTUpg4bGl3ql7xgch+5YjW55kdFoA8rbVYKDpa4tAa:D/upZ9GAqDgchh0pnVvDpWe
Threatray 3'546 similar samples on MalwareBazaar
TLSH T143D4126071392F32D8791BF60421A18007FA7A7B69B2E75CCD81B5DE646AF844F91F0B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.7407.19798
Verdict:
No threats detected
Analysis date:
2023-08-17 06:35:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ccf6aa7c-2c71-4660-95c8-34584c2bf06d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443151/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.7407.19798.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06ae4dc4-399a-4aef-9edc-b6e8e1d678c4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1292605
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 06:33:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
14 of 22 (63.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmln6dccljeyjhvpbrk7vqyh5i5mqlx2hkb3h2tyn7ld5czyxeeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0be1cd04cb84003839d5438dda8e2c40e89857f5c48300e59cac9db26ae7ebed
Formbook
2b33fca6ad1c4aeccf99eb4fd10ebdd20a00e2889769a1cf34f18d905504d082
Formbook
2bd80ec646ac91c6c189040cdfa72d7bcef22d51daacea4bb7da7d3d5da5b034
Formbook
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Formbook
50ecc3b01ef9acca243b41728e62bec369d80da286281895cf3c4aadd6a1e444
Formbook
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
Formbook
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
Formbook
d54197de152cea04b823618588d90e7462b78e11602a9eb5c425ce8db7057a80
Formbook
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Formbook
f842837f9f2f4794a3e909771825541f207304a5148cc630812be2ae71253d1b
Formbook
+ 3'536 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230817-ha7jsahf4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
8b45fc426e77ddd3195a72be5921ebd9afdfa59a256d5afeca7aa9b559472545
MD5 hash:
cddd0d8b849089c7acedd9d9d4d03cac
SHA1 hash:
6cc40a11188cd57765da7ed49ed8900679d93251
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
Parent samples :
8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909
e7c6065d235655ee2fa7871ee73a8d14b4f88b87351de7752a4c9569739b667d
0b6787b9226255086a296198f8075b09bef790ebce89c8b3020f9ca2e3ea859f
c0545f16fbbecef4ff1983c05e620651f24c48d3debaf525fd3e057ef688fae4
794b5731c293822cc916b19f0e7dd93d86b05a58afb7aff39255939953ae17d0
185e9a246303e86f45428ff67d8e44da725dfd3220106e75e38d278a1336a727
84a957af4bee9e5f07b399e5a36ea6b59038e85d3efb2f0f6bd86de787f634ad
e41ce47cf174f8b3f909756c90495e990b4f5550da4bd7e1a6b5ba50ba0ba9e9
SH256 hash:
d2a54851ad1edd06bc3ceab670cd77aa16b0788cbd76d12c9e47892a951cfc8b
MD5 hash:
630dee8d5f38b657a9d3eb023ce44e01
SHA1 hash:
32e2b234b1ea7609d389872ff5ff18d2eb79fa68
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
SH256 hash:
9c07d77285881e892f7af2b363253a9b3ad4e38b52275a1e9961b4966cf82aec
MD5 hash:
b3d6d8a6483a5a10141291a72e16edef
SHA1 hash:
a18ef4109004bb78b3e17495cb00595007014b20
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
SH256 hash:
8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909
MD5 hash:
52299a26c9143bd246e0b9daf6d0788c
SHA1 hash:
c7502270b45198a39a617de2ca5082e5d9308a02
Link:
https://www.unpac.me/results/4896303e-8692-4c76-acd9-ee8771f519b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8316df0c425a49849eaf0c55fac307ea3ac82efa3a83b3ea786fd63e8b38b909

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2705105/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/443151/

Comments