MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9
SHA3-384 hash: 015b91d5773c7b8879a36e73662580c7b5bfab15b38bfd8e64eceb083227310734a79b846d9a6543ede267a6cce94e34
SHA1 hash: a7f7f50320b4264dc36e7579b2ddcdcd74fbca6c
MD5 hash: 177d03e47be8dfad3e407097e6d12b4e
humanhash: eighteen-vegan-jersey-ohio
File name:SecuriteInfo.com.Trojan.PackedNET.738.26873.3369
Download: download sample
Signature Formbook
Create hunting rule
File size:815'104 bytes
First seen:2022-10-24 16:09:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:py10PPJaxEOCf5lpLR6AlA6CYv9+flg9v/oMfXGKiN01t0ExyjP+cfaslr3RjWA:5Qflg9Hi3X6QPTL1WA
Threatray 15'049 similar samples on MalwareBazaar
TLSH T1FF058C34279A0F07E0DACF38B4B0D1B057669D7BB96E8A86CAD46CF779122B05D0D187
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00c4f8d2b290c200 (6 x AgentTesla, 5 x Formbook, 3 x NanoCore)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.738.26873.3369
Verdict:
Malicious activity
Analysis date:
2022-10-24 16:14:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b65365c-d61e-425a-9568-64ac61d1393a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323501/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.26873.3369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80c60757-1f6f-4ba4-b83b-833b9d4ec14e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096767
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729408 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 6 other signatures 2->49 8 pgFDtVy.exe 5 2->8         started        11 SecuriteInfo.com.Trojan.PackedNET.738.26873.3369.exe 7 2->11         started        process3 file4 51 Multi AV Scanner detection for dropped file 8->51 53 Machine Learning detection for dropped file 8->53 55 Injects a PE file into a foreign processes 8->55 14 pgFDtVy.exe 8->14         started        17 schtasks.exe 1 8->17         started        35 C:\Users\user\AppData\Roaming\pgFDtVy.exe, PE32 11->35 dropped 37 C:\Users\user\...\pgFDtVy.exe:Zone.Identifier, ASCII 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmp56D6.tmp, XML 11->39 dropped 41 SecuriteInfo.com.T....26873.3369.exe.log, ASCII 11->41 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 11->57 59 Adds a directory exclusion to Windows Defender 11->59 19 powershell.exe 21 11->19         started        21 schtasks.exe 1 11->21         started        23 SecuriteInfo.com.Trojan.PackedNET.738.26873.3369.exe 11->23         started        signatures5 process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Queues an APC in another process (thread injection) 14->65 25 explorer.exe 14->25 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        process8 process9 33 msdt.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 11:39:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwcg4vxeb5vylk2j2ygwhrzhka65ztjrjgdni36ggraa2advyguq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0
Formbook
401d8ede073c42e3cb7c03934bbbb8b1ace7ae84c88098a680c6cefbaab26cdf
Formbook
49139beffbec5c8b7f4f11e82112e0972f60de6b7064456b1cec936d5dd20cec
Formbook
603b9ff5f2450d74e36a1102c2376268b08224658f5b1dfa26d3e53636a76660
Formbook
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
Formbook
8ba89f4cd9f76d5ec870673db35849d80c7bb2a46614bb4e7a8fd2e951846c11
Formbook
d0c9d5f00d0620b708926f4a582f1d6ff405710c9533adfeaa9847c1f1f382d3
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
Formbook
+ 15'039 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s5zx rat spyware stealer trojan
Link:
https://tria.ge/reports/221024-tmc2gshehr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Unpacked files
SH256 hash:
e7cccb43dd3b796e66281d2f398c390ce0942ae8214ccc306219a938fd4d5656
MD5 hash:
f40c50b52491bd866e05761d98d141e8
SHA1 hash:
b6ee73fb9683096944f650c35c7143a7c31837ea
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
Parent samples :
49139beffbec5c8b7f4f11e82112e0972f60de6b7064456b1cec936d5dd20cec
9deb843c2acb12488c174fd87435431dcc1fac8c1fe33e55aa603cfe3e013c77
736808fef49ea666d160c9943b624f0ad79c3d10c44b8042a602d8a31d2465a3
85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9
147cfef4fe40948319917d0118d70d1d4eb67b5de170bfba84b8b27a69f6bff3
a3e826a617c70963f36c801778b0a572d0bd07bb5dd519bbbde5712fe4a9f226
01e953f7efe55cf5970090491b1fc25dce140a505dea9e74bb07b81e3ef4f89e
6fd861a2b677a86550afe16ac310a004723d72b8f9324a861f81c842060c42fa
4f319d971fd23958cbb4a4a2dcc608c2cba461194011e526d693c25a909e8505
e3c262e12306134d77bc9ddab5530cba29e83c9cafbec4ff39ac719540946ee0
4514fc2a757de12c765ce8886024f9e88a24e8c716001b911fab3fa693fcbdb1
7b00599838c328e0b0f684cf8afb33a2e60be3a7e470151541e5ca9cce64d2ee
4c3d925669944dbdec6649638901b8ccb110c2ff971d8cf558ef05f9980ecf69
b20450dbe24a9e4b79d2dc6911d9d8da565fa88776fc4c8ec1ffa9b9dc3e0bc0
137ab99c2cbf5b89d466a1208139b94be31e7668e94b9d0e35c41e180bbbd702
1b60de037862c81181d9068b63660bc31521b0f53a158bf62b05da36bfa92446
cf7453c66634ec6525211464e5156835d5c3f1fd6392a82c1eb6a4775b002ba6
d621c9967cd3036f9e888588e71820eec8f5649ebe8c441ae3ef3bae9e01b0ac
SH256 hash:
e43ed5a4e94e1b17fdde319b08cb15120b3d0c05548c1332d4abbf4f282cb389
MD5 hash:
dd88b555de397f749a9e38a3a14d25b4
SHA1 hash:
5280de0af81c992a7114f029d135f157135a27da
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
SH256 hash:
918284ada094d668fae774f6587fbb04fc86b7837003964d5f411d9dcc6041ce
MD5 hash:
9aeef45fd8298104ca187200f82afcd7
SHA1 hash:
82aad06f7ef37b20541bbad56b231cbf94212342
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
SH256 hash:
42cd9050c60f98ef598dfc3755f8e041aea7d1cf0c7a57ef52d7c4f6d456719b
MD5 hash:
a43e0266155490187f2cd186136429e7
SHA1 hash:
bf699bd8ea84adce29cca3bab2bf2b772284d51d
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
SH256 hash:
7ce373d169a5be355e248442da0c7454024bc776e181d4867d75ce9ad4df90b1
MD5 hash:
e512efdaec8271b7a35f23b012b4504e
SHA1 hash:
a4a187483940839b3da42da6854f93ea373e3f58
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
SH256 hash:
85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9
MD5 hash:
177d03e47be8dfad3e407097e6d12b4e
SHA1 hash:
a7f7f50320b4264dc36e7579b2ddcdcd74fbca6c
Link:
https://www.unpac.me/results/5b1ddfe9-3a8b-4df4-89fa-e474a2f99835/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85846e56e40f6b85ab49d60d63c727503ddccd314986d46fc634400d0075c1a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323501/

Comments