MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
SHA3-384 hash:	2996067f2ee0f0d166e002dca868eacdf1d7e76a6c7a6db1cfc28afe8a77a4f8e98cf6307818950f2e2869f9131246ba
SHA1 hash:	bddab9deba1f1b2c40bbf1889795a5585325bea4
MD5 hash:	1494ab51e18f84cd6e41c89b84f5d585
humanhash:	london-oranges-oven-coffee
File name:	SecuriteInfo.com.Trojan.Olock.1.26419.25236
Download:	download sample
Signature	Formbook Create hunting rule
File size:	812'544 bytes
First seen:	2023-05-16 17:38:52 UTC
Last seen:	2023-05-19 02:46:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ivaZiSljSRU3jkbOOT+LwNjdvaqKn/1edBcYfZHVceUu+eHHKS7:SaZBo6OKLwNhvBKn9IBDf5Wvif
Threatray	3'092 similar samples on MalwareBazaar
TLSH	T17605723D0AA58AEEC0BBD364A7CC4997FA739817F15C9B6D54C6034272436CEA0C25DE
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Olock.1.26419.25236

Verdict:

No threats detected

Analysis date:

2023-05-16 17:40:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5cd780dc-99ad-455f-bcaf-9b4afc65eda0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/390545/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.26419.25236.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6463bfb870bf54db4a1abb4f/reports/4b90b5eb-cb49-48f0-9ee3-87731895b5e1/overview

Verdict:

Malicious

Labled as:

Trojan.Olock.Generic

Link:

https://www.hybrid-analysis.com/sample/83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b292b19-876a-46fe-bb22-9bcee3082620

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1234762

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2023-05-16 17:39:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qnsvkyn3yjni3dj6on562kb34mxcfcmcgedtdkleaaahs7gveczq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08

Formbook

29d58f95baae09dc7c45b4185c2d3c221b4d20b6f1b99575302112211493464e

Formbook

4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769

Formbook

54bc8ad70bdd156ce345dc785b4858d2b47a69b74855f76a7016d1aae3b74e13

Formbook

6e47d662e6f00f4c8b160545fc27354f3e2fb8955aa1c4de6303f44a80b6015c

Formbook

a21c6c623959c4995842ace85f7f5a7e3751c4930d28ebad92c7a737a7f8cfb8

Formbook

b36b113a82b932ee2081484ca969a0fc4008c80199c4c8ab1d3f66f12d9e60f7

Formbook

bcfc27ac62a86bb98e019ba5eb2c6032fd5a56f6aacee84974b07217c2c1fe7f

Formbook

e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679

Formbook

+ 3'082 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230516-v793dsba2t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

e031d5f3652259dd052e79eaee198ab7fb0feb522a859771289a39a73a297f06

MD5 hash:

5e5b621044793588fde2b9482b862083

SHA1 hash:

b85e8343fc412a63748589cd544b90ccc841dc92

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/43717f3a-d413-49bf-a48f-a8d8878cc1d5/

Parent samples :

0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
19a7140e84227b4d9af59569af23a0a5a1edd34c45b24691348f227f2c540712
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
8bc2209887fffd6b27980ba8c2c138deb45370c5b0a8434f9542897c6a05c931
ede3876cdaa9f15dc9f49a080713bfc4e254d222d99c2a09b999d62d1d4f8c05
b755e080b9f6705b088275a44a96251bc547ad58b4f63c9988d90e1c97bf283f
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
607dcd836bd33a6d2afe6ef3c632468ef126eb49923409e246ba7ec86311c5a7
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f

SH256 hash:

fc83e07cff47a7ea1058bf4d75f6d98fcdaf457a6f88007dccbbc36796a16847

MD5 hash:

fe559bbf47ec0c554420bba97f79ba0e

SHA1 hash:

c097427b5800a352d105c830e98332fe8925bcdc

Link:

https://www.unpac.me/results/43717f3a-d413-49bf-a48f-a8d8878cc1d5/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/43717f3a-d413-49bf-a48f-a8d8878cc1d5/

SH256 hash:

5e2edff47d4eeb3b89d58f3b933978d7786fff71aca41541fc9dd4b812a2cab4

MD5 hash:

bfe464993d777c58a862071f41a8ce51

SHA1 hash:

b337434dc4ebca9a24f5075dcba28b7146d77f37

Link:

https://www.unpac.me/results/43717f3a-d413-49bf-a48f-a8d8878cc1d5/

SH256 hash:

83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3

MD5 hash:

1494ab51e18f84cd6e41c89b84f5d585

SHA1 hash:

bddab9deba1f1b2c40bbf1889795a5585325bea4

Link:

https://www.unpac.me/results/43717f3a-d413-49bf-a48f-a8d8878cc1d5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Dotnet_Hidden_Executables_Detect Create hunting rule
Author:	Mehmet Ali Kerimoglu (@CYB3RMX)
Description:	This rule detects hidden PE file presence.
Reference:	https://github.com/CYB3RMX/Qu1cksc0pe

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/390545/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample