MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882
SHA3-384 hash: 9a1fe748e7b7142fdbf5b26ed1a76115cbb210b2bcab68ea8365d01ddd56275792fb00fd851655b20b471c9d83d7dd1f
SHA1 hash: c6df1fd2ee803d88164143a7c4b014bf97eb5598
MD5 hash: 202ff26923cb44846d9dc5a223acfae6
humanhash: zulu-wyoming-black-kansas
File name:202ff26923cb44846d9dc5a223acfae6
Download: download sample
Signature Formbook
Create hunting rule
File size:51'200 bytes
First seen:2023-12-01 03:59:56 UTC
Last seen:2023-12-01 05:16:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:gsqI1O6YW4wHKMPpj3srDFBOKWKIovsHShbAGrTUUEyZbZCGlJ2bVGRaBWF:9LQ6YwTpj4PO1ovsu/UFGz2bVGa8F
Threatray 2'118 similar samples on MalwareBazaar
TLSH T14A33591CA7CEAB23C1AD467FA4E377814375D1B6E34BE78B2CC8422415977EB8801A57
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
102510000BOMC8X.XLSX
Verdict:
Malicious activity
Analysis date:
2023-11-28 10:52:04 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/a3087dc9-9bfe-4315-b6fa-04194110638a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461554/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73347f88-6e21-401b-9d8e-d82f766b24ee
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351059
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 13:39:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qugzfspvpsqakbtmsl3mxhmwgqhc3i3ttdmimiyw2roi42q7rcba._file
Verdict:
malicious
Similar samples:
0e418d04674868bec602f83b469c6cec020de614ca02880cf02cf18086279421
Formbook
5037733d3123c797e4c67a9c4d6aa45d99486f45afb64bc52979c142defa23b3
Formbook
56cfd7df1800b2c751e56c983a8e33c39b3e2c8d34368c6fa51582f306f2eff9
Formbook
6950eef4d380c2396d2df2483f374e07834842a0299133ad9ab18ba483fa54f8
Formbook
850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882
Formbook
b7c7c849a3caf9999aa15fbf355cf825c00709240fabcd390810847e1f06e719
Formbook
+ 2'108 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat spyware stealer
Link:
https://tria.ge/reports/231201-ek3rsseh4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
7d1fc34907813ebbc16c029911f96cb759d879722e69d1d9ee2be830f9e3810d
MD5 hash:
1f9b56106526995782d144de2ec73c25
SHA1 hash:
70738e01d7f58054ff10ca5a7f1c63dbf49e7bdd
Link:
https://www.unpac.me/results/fd5bc05c-78a2-46be-8204-35c528df9f77/
SH256 hash:
850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882
MD5 hash:
202ff26923cb44846d9dc5a223acfae6
SHA1 hash:
c6df1fd2ee803d88164143a7c4b014bf97eb5598
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/fd5bc05c-78a2-46be-8204-35c528df9f77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 850d92c9f57ca005066c92f6cb9d96340e2da37398d8862316d45c8e6a1f8882

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461554/
  
URLhaus
https://urlhaus.abuse.ch/url/2736471/

Comments


Avatar
zbet commented on 2023-12-01 03:59:57 UTC

url : hxxp://5.181.80.126/Zrwjjtizco.exe