MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
SHA3-384 hash: 4816c17131b93a2a1248d00316178b952831c076d5eb43b3f87aa8a598face15fd328f8e27372e75613dc2e26a8c27f4
SHA1 hash: 76534119d4fe5ffc5a4961bf1e25f2f203fc1a99
MD5 hash: f36ac11608bf695e552445fd88200e91
humanhash: seven-social-nineteen-hawaii
File name:inquiry EBS# 82785.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:984'072 bytes
First seen:2024-05-27 10:17:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6ZqKk6v6p1S93C60rewPgwdtCvybVnNqJUsyRI8paAuzWB3UzxYLw8VuopmpvOkR:GqKk6YRr9gahcyG80SEYs8VRpkvV
Threatray 64 similar samples on MalwareBazaar
TLSH T16725B13C18FC2A229160D6A4CFE0C663F150F4FA3963992299D24755474BE9BBDC327E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c.exe
Verdict:
Malicious activity
Analysis date:
2024-05-27 10:33:28 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/097781c4-c037-4a0c-9b51-81a1093324bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-10030446-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66545e5e121317197511fd7bwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Static Msil Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66545de92d9fecd0b7e3d02d/reports/61c5edcd-7aa9-4cd1-b5ac-6b936a962849/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/085ee948-9ce1-475e-a692-c75ff20f7269
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447917
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447917 Sample: inquiry EBS# 82785.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 32 www.ycwtch.co.uk 2->32 34 www.pricekaboom.com 2->34 36 21 other IPs or domains 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 10 inquiry EBS# 82785.exe 4 2->10         started        signatures3 process4 signatures5 62 Adds a directory exclusion to Windows Defender 10->62 13 RegSvcs.exe 10->13         started        16 powershell.exe 23 10->16         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 18 hbfEEdNoiUG.exe 13->18 injected 68 Loading BitLocker PowerShell Module 16->68 21 conhost.exe 16->21         started        process8 signatures9 44 Found direct / indirect Syscall (likely to bypass EDR) 18->44 23 iexpress.exe 13 18->23         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal browser information (history, passwords, etc) 23->56 58 Modifies the context of a thread in another process (thread injection) 23->58 60 2 other signatures 23->60 26 hbfEEdNoiUG.exe 23->26 injected 30 firefox.exe 23->30         started        process12 dnsIp13 38 pricekaboom.com 185.31.240.240, 49712, 80 ZONEZoneMediaOUEE Estonia 26->38 40 www.0bi8.fun 107.151.241.58, 59274, 59275, 59276 VPSQUANUS United States 26->40 42 7 other IPs or domains 26->42 64 Found direct / indirect Syscall (likely to bypass EDR) 26->64 signatures14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-05-23 07:35:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrsdyk3bwxvaxcwbo3o6dg5d6uodyi7546edwntugf64gp5wivwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
Formbook
5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
Formbook
9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e
Formbook
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240527-mbzmsahb64/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f52389b-8a78-44da-8312-52b2843e0b94
Unpacked files
SH256 hash:
28db43da3af01ec123ec09e679da5e49fd6d6263134b4128a82dcf74d1a613bb
MD5 hash:
bd70af299571dcd57b13952abcaafa97
SHA1 hash:
08936d61b4e9c04fea0c3d0de38a774a1f4a8830
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
Parent samples :
5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
cc6fe888cfa26f47c4782b2a32ffd57a4440a3dc04aa7493332d5450a404794a
f970aa14ae9a128637c05f5d0772da9a82dde74dcc73b8f860ce3a11e16e1ea5
SH256 hash:
fb36e835b592e7d7dd9f21db0b12b7fb99eff4d83c981beb66dbe2527399d9e2
MD5 hash:
5eef95ef55462405da2c5f0934832828
SHA1 hash:
01e7d4b5cdf17f6a2098fba3e6674e3bd2edb716
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
4179d0c917533722a886792069665ce7c96e0b3e6d17eda7b57ef9ad1b2cb9df
MD5 hash:
3f4518c711e655f78b3744b80760d1f0
SHA1 hash:
d5aad62dae70bee19dd6e42b1e180505c15503e6
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
0b7dcc18b0ef39734a24ca5923b02df82c670d08365fe376f2ed4ff9fcbc6303
MD5 hash:
0441cc0dacc6d821252e66a156b1d9bd
SHA1 hash:
df46cc702950a53a5de7b804d2076ef03f8ac6b4
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
f540e8d603962027b3a1f8b86d035281bfbdd3a05a621ead255825bc2082632a
MD5 hash:
d172f59251b97b415b621d302e1be2b7
SHA1 hash:
b1534e603749c901b5ac185f20e281f6be7fa908
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
b5e802635797769b19ad9b32df57fc4cc0ea40d46401750ec47b135645911609
MD5 hash:
ce632b48e8e147f7968fd213c89773e1
SHA1 hash:
47a2a1e386264b5fceaf2fb2c0f36779ddf1495a
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
dc2ff359411376369f04899ee846b8940a9df9d9458e73b593aa0a7f18fe8ef2
MD5 hash:
ec490672fb76e2f4444613f48d2ccb27
SHA1 hash:
f019599f05ebb026f6016cabcea07224d65fed7e
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
99b8cff8b5c5a07e834996a466c710cd0edfe5d37e365fe898417ef4fdd1ef36
MD5 hash:
4ede34091ae77f2bfc87c335da5121ca
SHA1 hash:
dc4fda4da66fb34473a0121ddd7d42af78d41e5d
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
b7a00607c011754b52ccce31622b410320f7cadbf962c30ee99cb00fe9c5916c
MD5 hash:
2065ad718bf88750ea09480f9c04088a
SHA1 hash:
d4c0ed411f2a054a844f51a096d85d11f6acd5e4
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
bb9d453e6edcf2e1fc54d439e28d75cfbf39439b006d2b91252e1d68304c0391
MD5 hash:
2a8410d632dc884285a8c0083ffb19d4
SHA1 hash:
c6e2753dd1ae0ea6923a0575c8653d00121ddd7b
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
502e1a3ed654f4872aa9b8a7e49bd85ffbbf1f06c20114a60e2a6a8ef119d8b7
MD5 hash:
bf38f4c53497aff09ed9f4386e1d1f2f
SHA1 hash:
78c42f655c5e87305b2b741ba792d8a2f4199f7d
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
c7d13d0e3f868a2fce7974e708a32565a6d4a01305b5d53498cf6a574fffee44
MD5 hash:
76c6f73b87a787ce202ec8d410c5c2e7
SHA1 hash:
359305ecf4dbf022b7ecb99ffeed439815ee35ad
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
SH256 hash:
84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
MD5 hash:
f36ac11608bf695e552445fd88200e91
SHA1 hash:
76534119d4fe5ffc5a4961bf1e25f2f203fc1a99
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/0e7e058c-106d-4d0d-91da-992ec5846f16/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84643c2b61b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments