MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4
SHA3-384 hash: 47a7dacc2002351c5089edf1a61b86f9c55e2c66ba7b11ee5e0952d509adc0e16819136593e077be3068b2c5845a0b37
SHA1 hash: 3cf3bfecbb618bb9511420a0bd90439d85970b2b
MD5 hash: 64c46a86f6ae6fa1a15f95c966d306c9
humanhash: lamp-johnny-black-table
File name:ai0bE8523b3IsUB.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:643'072 bytes
First seen:2023-11-08 07:37:42 UTC
Last seen:2023-11-08 09:20:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:zGoORNDgCp85rLTmyyf0xquC/MCKMkP4R6r+iNhXdcVI9o:Co85gCpGLypGqGMpU+QcO9o
Threatray 80 similar samples on MalwareBazaar
TLSH T1A5D4231E37B98B21C5BD8BF9A062A1940376935318D6E724CBCDA0FA263F75C12491DF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4060733230706d4 (9 x AgentTesla, 2 x Loki, 2 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.11058.8422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654b3ae5993fbf888b69cf53/reports/c3a2ca99-b74a-4159-956c-c078389c0633/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b680444c-d71a-47ee-b114-ae5333bd691b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338803
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 07:06:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmxwzuyn5urkpjfsh46kwiz5zo37klnecghovkb75qgagjli7w2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
037500eba0044c05416217ea9936c6b9f4d9ee9a0a05d2d7860245fffdd347b6
Formbook
40203565c21de2f3923f1c4bb185068706f0bf56366cb099e6483737020b2ae3
Formbook
4ecc427abbc3efbeae4fc42d383497728056a76951f5bad56a67002406eaca66
Formbook
5669840788d19dbb20f845d3beffd4ba401886023cb434fc944ad8c2c002b84c
Formbook
7adbcdba6b07a49776e4a3b41d67f8f93a400ae6151f7f729ee20bef0eaed9d7
Formbook
8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Formbook
9068c088065cbfd77cba76db460b52833c7ffb261e7da8ac9de4269cad2d81b6
Formbook
e0793d63666fd27dd0132db7bd77c06ed6fb2d9dd919aa774886e9732e5db57d
Formbook
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231108-jgdqqahb46/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
4b9d8affa713a96189e4827cd811890316e81e005e56b77ca668d57d90c32c6d
MD5 hash:
8ccb966e77a7b1e95b593f1a21cc3e83
SHA1 hash:
0890f954b567d85ef112476e3a6bb4a00982c4bd
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
SH256 hash:
b21df2adfa1f35c4aa97000b19b9ca70c5b6e001fa4fcd45fe5f87c0d1384975
MD5 hash:
3c51cfa74fd6846239ff27c5eddc50ec
SHA1 hash:
bdd72228014787d88cf11257fe0a68e7056c8fff
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
SH256 hash:
179c0236e70d90734fefe972877ea1265d4bdb5f36a90a6c1d8e748c740eb089
MD5 hash:
3a8a671d9c13183c58f0a4685364b0c9
SHA1 hash:
54776af7d2486f742952b747a3e0cece8ffbe84f
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
SH256 hash:
bfef9eac82e53e8d63bcb3b3022880eaf8f22cbbc6c69f3782b59c438f649f12
MD5 hash:
ddf81912128dd196140e9be656c3a212
SHA1 hash:
51221baf7115f7f2de03cd00b8b25cfde9241a35
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
SH256 hash:
832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4
MD5 hash:
64c46a86f6ae6fa1a15f95c966d306c9
SHA1 hash:
3cf3bfecbb618bb9511420a0bd90439d85970b2b
Link:
https://www.unpac.me/results/c444f1e9-6a62-4ad5-99d0-b95353d17919/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 832f6cd30ded22a7a4b23f3cab233dcbb7f52da4118eeaa83fec0c032568fdb4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments