MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6
SHA3-384 hash:	da15f2f84e75e0284b29324e2e8ec4ead66868b0c40a4033693df4d953db45de4737d569c3007a4e783127d19f03d237
SHA1 hash:	b87364f588305d5c3ac3d75109c905e513a651c1
MD5 hash:	1bb3334c556d0b4a30dc7cf46c49ece0
humanhash:	burger-fanta-triple-hawaii
File name:	Gecikmiş ödeme #0098383.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	827'392 bytes
First seen:	2023-12-28 07:54:58 UTC
Last seen:	2023-12-28 09:14:58 UTC
File type:
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:W+bnx5zkzQR6i+SPwPf+OjY50lfJOZ9P/hmmVwIlpCVqv:WS6vLJ8WFcZ9PJxiIlpCVqv
TLSH	T1CA05B0FD08BE12F781ADF6A58BD98B27B014887B3111696B94D743534306A9239F31FE
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FormBook geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.5585.30708.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2860beba-a81b-4a92-86e7-44cbd516db3d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1367612

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-27 13:14:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qmzep6ikfsmk22crjbetoz3ej2hdrbxoaatjhcxt5xwsra7ggpla._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231228-jr4pwsfehn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Unpacked files

SH256 hash:

89dcab94cb1f06141c56bfbb990e2b17ac77e21d16fdc4a72b5e70733fde631b

MD5 hash:

807bbb4c3ca9c4d5efbe9e1f37ed45dd

SHA1 hash:

485e71358976f96c7975662061745946c6123400

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

666cb98e340b5158ef5797bd5dad61f598b19969d42d14d7c5267301c2b7d532

MD5 hash:

575b66ee28fb3fe42c553cd514e9bfdf

SHA1 hash:

7dc4d72932dcda729fc69751bc4ce6c98a1adc7b

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

688d9dfc89eae5b206d6ebf535d436dff31b58dc1cc56db9aed0d2302081cf74

MD5 hash:

22ce25095aa66e42c25431dc58cf69a1

SHA1 hash:

9e2276321f794a27b27fcf106da7f1a2d7680132

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

2af7e4e790f61b05899b41211d308f54e70016420b3ef7d5e31d40ad5cc36b47

MD5 hash:

9e522f8c677aa9941bb8a4b29765871b

SHA1 hash:

7c75084f4b6525ae20c18a752cb310db20cc5eb0

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818

MD5 hash:

440bb4db146ccb1161ac2bcf365d7676

SHA1 hash:

506eda511b46df6e95d86861e70fda81307f8623

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

dac6ce79af386b9b3e79a6a489c5c98258497e2fe78d2ddbb868f85d51f46269

MD5 hash:

d6b5758f1ab576ecffc1271508a956df

SHA1 hash:

cd6b9d580480b2dafc8afbb70098e38eb3e0c0eb

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

d5388e4093b45225b6160c35fe517491a14065266f54a9a7dc59c2338fba3c09

MD5 hash:

748acd212d9306a87a00c22a4a716337

SHA1 hash:

ac912c5037faf222272da6eabb33cd84ddf8e1f2

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

649f93b757a60de9acf54d6798e27c82303ec47ba754b6bd238917f92dcad7c9

MD5 hash:

fde2f718fc9765f9db9f606758db69fe

SHA1 hash:

7b190e8ed36373f59a1bd356caa9ea790af8b18d

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

a26a0b824099c7f761889957f1a89528650137b8f56994b718390e65697669db

MD5 hash:

7c6e8852e2567ac35f4775235f8ddc8e

SHA1 hash:

6d94be44b66ff70babff1d5324101cadc5fec7d3

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

fcde0317806bfe57457673d99baf4056c30f018e09f2877eb3180265fb8d9b67

MD5 hash:

1626d1b350bd075cfecceeeb19b5ed77

SHA1 hash:

59bfc1514d09cd03814b2b9bf66e7d4e9bee3d77

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

1fe9e6ffd98aac6a2ded0c7cb904485e5742e1d4d6ba73c848d193c29935147c

MD5 hash:

0979712c0ab8cad65f6c10975eb1d639

SHA1 hash:

550048524af8ced23060c4451b68c98e080abffb

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

SH256 hash:

833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6

MD5 hash:

1bb3334c556d0b4a30dc7cf46c49ece0

SHA1 hash:

b87364f588305d5c3ac3d75109c905e513a651c1

Link:

https://www.unpac.me/results/7c7f6b74-94d7-4272-886d-1381d4c1070a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/833247f90a2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

833247f90a2c98ad685148493767644e8e3886ee0026938af3eded2883e633d6

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample