MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
SHA3-384 hash: 4a24f325873e4751215e6236081b63e8618b300ba7d3d59f9063ae90d6d596fb1d59d8d08dfd509df0064583c72919c2
SHA1 hash: b897636e60d041c518422da34325c7810c1f3404
MD5 hash: 0b8096803c8a92e49a117832e8005e90
humanhash: november-enemy-mexico-bravo
File name:PO1038854.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:793'600 bytes
First seen:2024-09-30 14:11:25 UTC
Last seen:2024-09-30 16:31:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:+Xusruc84Pww5Bg6i6os91E3x3u2yoVKlF62aQqurR4FxRnifrmTeUEP3p2NUp:+Mc9DV1QumMlqur+Ni6Q5
Threatray 5 similar samples on MalwareBazaar
TLSH T13FF402086AF8EE1AD56E477694B0415067FAB8DAA673F31F1FC230F51F26784C904B62
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO1038854.exe
Verdict:
No threats detected
Analysis date:
2024-09-30 14:50:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7426e46c-0d01-48d3-90a2-c1ddbfae452c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14295.3568.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fac543c85f12c405da7477
Tags:
Powershell Spawn Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed phishing
Link:
https://www.filescan.io/uploads/66fab1b388188863f38cdda9/reports/96e60d74-c197-431b-a19a-af304babbe67/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55429dff-b2c2-4535-937c-d9f06d36e589
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1522761
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522761 Sample: PO1038854.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 6 other signatures 2->28 7 PO1038854.exe 4 2->7         started        process3 file4 20 C:\Users\user\AppData\...\PO1038854.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 PO1038854.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-30 14:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxtqgy3mfzoig6zxofgafkby3sspflcebvc4bpw7x5llrya4jaqa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
Formbook
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
Formbook
c6d81d84ccdb6f79482b251fcae0fe32524f969c4c760550e149bb5a809cb0fe
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240930-rhtsbstdjb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf9f7d0a-87b0-4489-a14a-95bf8b6161b6
Unpacked files
SH256 hash:
68028e08e22e5f11f1d30d9cdf61c9d27da57b7e43a5bcae964074dbb8310cd8
MD5 hash:
79a50d4d93d41e2ad4b57250e1da3290
SHA1 hash:
cadd19c1fa34dc7e7bd0d3b966697b81653985bb
Link:
https://www.unpac.me/results/a187ed49-0979-4d3f-9640-140a5a577680/
SH256 hash:
cca4c2433aeb5a27539a1d24d3e0cb0cf2daf45b6c27c302c0ee91b14b822db4
MD5 hash:
e559693528a271759d0e71e70ba59d94
SHA1 hash:
7e143d78367b5361ab453af282c7160f35819e7d
Link:
https://www.unpac.me/results/a187ed49-0979-4d3f-9640-140a5a577680/
SH256 hash:
d2629d8bb9a63aa5b0d800f822bb60a44156275c696400c823b699315a5dd796
MD5 hash:
78446aecd0dc4933567afe287005b3b0
SHA1 hash:
bd39b6c53aef9398469b6d27be37fbd3b023136c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a187ed49-0979-4d3f-9640-140a5a577680/
SH256 hash:
d2174ddc2b6341b898b939fa0661d2a1cd8d485f5237427331f0d889672fbe7e
MD5 hash:
221f891053c35a694d7b442b7909d086
SHA1 hash:
81cb6829a184bae91927dc8b57744e895355b281
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a187ed49-0979-4d3f-9640-140a5a577680/
Parent samples :
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
6b8c990c92c37f014fc93efd79c6fbb3a22e8da7961e9333644bfeac353a2ae2
49a6d4dde10788e5000df6a0fad4be9ab17567fd1314b64c3d7be0257adcbc65
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
08d86feee2707af5c57b4ffa8663c0e447c7425c39a103906cf15eae7cf1df9d
a433aa981a5cbfd5fae678c523b088d034f61f57dcb61232fbaba73657867b36
2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
822e06191849b35415693155a46edff39c41db14f3dce949120456c1b7b55892
79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
3279f79164633c0881c50971c98ca39bc9367111410f77582700468f2c0e3dd1
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
b92304c2e680f54345fa77f77b0c507f93d05d43547e819d2ebf53a31e48ac97
f25dc80bfc742a0e8091d216ecbc033d93e71d43b31bbefb3ec9ef6cfc637cee
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
520fe428b0afdaf20673224c5004c004ab1d1dfd492cc54a37e362af8a844005
8f49d498d3ed3ff8f66d7f22a4ab6b7747e2e799662ee75b2019304e5dbc6dde
884c0261a0c4ff07790fa549a0dc1d752bd97ef3e0635536193c585a291a7281
368305c8a62f4edc3ab1b94d1242e5438b7d7c14a6c65f7beb4aad32b1984821
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
afef519b2380d9483a1b51eaccf235593140a75641e5a469d130f2d48ffd5268
a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
ddad2801522370c2ca5c4ec41663b36a88ef6be171867f23f084c0fa6ecb1055
5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618
02abb1d01386d7d7ffd8debc2c0fb09baebb82d88b8f758e4de3f0deaaecfbf9
65b4919d036f5dc3a1dfe9b62510ed4e578a87dccf862df6fbb8524894c2965d
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
780354ea81fa066b085767d98d878a9b891f7febea281d2e09577b424a6ab47d
b9f4537fa4b470f09cc62c1c706004604498c9405e638712eb4f2ea6a6b1876d
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
3376b495c19dc3e179dfb2ef072a362c2d26ed59b06266dd7dbf080a80a005f6
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
01ab4d20ae687b065b10fdf3f3243a46a320dcec4b3a9a8e0cafcc0878aa1800
bf4ab91b352744a5ac16ef96f4c25405b993ded0aeaed9c09efbddab513877b9
b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
e407720bcc7f5845bb9cf84c1c1209ef6e2afd339518359f86944c5f6e019b09
e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
20f9d4cf5cd85fa7cf0d58b55409f75f9af0b952d3b573bffdd21966d9a3f396
SH256 hash:
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
MD5 hash:
0b8096803c8a92e49a117832e8005e90
SHA1 hash:
b897636e60d041c518422da34325c7810c1f3404
Link:
https://www.unpac.me/results/a187ed49-0979-4d3f-9640-140a5a577680/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85e703636c2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1a99486bbc2ee6cea0a5ddf65c796fb05cd80be300913be1854058f91e95c8f3

Formbook

Executable exe 85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1a99486bbc2ee6cea0a5ddf65c796fb05cd80be300913be1854058f91e95c8f3
  
Dropped by
MD5 c896cc7d6eb9336c98d2212dae92626d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments