MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5
SHA3-384 hash:	7154509773c03c4325d44eaf0d3c894c8f040971887af1b9517e346841b32b279599918011840e036ff9f9c0e5311fee
SHA1 hash:	c93a0f354cfc5d4ede8ac6598fbfd48270344367
MD5 hash:	4547d92046a773ade182813b8dab2808
humanhash:	social-lima-massachusetts-comet
File name:	TNT Original Documents AWB 8013580.bat
Download:	download sample
Signature	Formbook Create hunting rule
File size:	777'728 bytes
First seen:	2024-10-14 09:03:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:Ycir1S2IoOAc6/5rZGmy4qA5Zno/HK5sMg1xMqU4pCD9fY73eL6rmYEJJAkqdR/P:pA59ovKzgrzc673eLvJDq3/8VC4IcSiu
Threatray	4 similar samples on MalwareBazaar
TLSH	T1E3F4F1507629AC23C1BA4FF20520E67503B76E9D7811F3CA8DE9BCAB74F7B806645643
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	bat exe FormBook TNT

Intelligence

File Origin

# of uploads :

# of downloads :

427

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TNT Original Documents AWB 8013580.bat

Verdict:

No threats detected

Analysis date:

2024-10-14 09:16:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6e79333a-2651-43b8-962c-483d104231c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Nanocore-10025638-0

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=670cde85707bcd8537fb85bf

Tags:

Micro

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/670cde8486f9fbacf7a08c7e/reports/037d73ba-e9ef-4a10-9524-bb7616903be6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d66d712-c4dd-4167-8008-c12e79207719

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1533040

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5/

Threat name:

ByteCode-MSIL.Trojan.Swotter

Status:

Malicious

First seen:

2024-10-14 09:04:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qzle2rdrkagtsmwqv7o4riffesmc4237hjyggdkh4ikngg6rm3sq._file

Verdict:

malicious

Label(s):

formbook

unknown_loader_037

Formbook

e7372cd29537f5e27f70f6b9969cf16b2b2bcaf655406722f87efb7a74f2be38

Formbook

error

Formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/241014-k1lfcaxdrn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f9e05757-cd75-4300-9b9d-be485620968c

Unpacked files

SH256 hash:

cbec3029930be26b2c33d2b83a8c21e5f541f2cd23179fd476973dfd8102b090

MD5 hash:

7e7134b9873ceac3e2cd99d56ba393ef

SHA1 hash:

13e19a88fae57e426324006de58caf42d93a6acb

Link:

https://www.unpac.me/results/a009f2f9-314a-46af-8964-8516f4eaef33/

SH256 hash:

fb23e5e3a3a402249e2d41bc1606d29ba977e19f8060cbb53edfe6b185506494

MD5 hash:

de002f7018ddd6713a8a6d3239028f38

SHA1 hash:

74fcb1b01625565b2a09988bbc88ac5882cb4ee9

Link:

https://www.unpac.me/results/a009f2f9-314a-46af-8964-8516f4eaef33/

SH256 hash:

3ed0497db6b560687a36da292e8d20585885c022fd5bca6ab7126bfde406b31f

MD5 hash:

89e2fbfac2d18d7708a7458c453f44bf

SHA1 hash:

50c07ed86f0adc6fce1a6fbe3434a08154a3620b

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/a009f2f9-314a-46af-8964-8516f4eaef33/

Parent samples :

86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5
3dcbee6ee102a689e41b9198c27fceed7962f5ce3861721032898e5771087d50
a6e3235b896751de88268e16897a971fb6f68c06c63566714fbc70a5f78d4fda
ff1d10747a911b5fcdae2653611d1c1bf3222658d3b1e174c992667b91041f90
a898645f4029e742ca261f428c7985cb8c501586c48c35c06c4270c077833a9f
df7bcf222c6ce1cbb9050cfe39bf4af502e89e51b066a961a0aa8e425a268896
9b817418b2dc2a4d5051236d919c52dbbc463088de8bb8deeb3a7f516bc47435

SH256 hash:

a847298027466ec976c6c346b2361b81557c276e84326fd4018a87e1f9ba9f00

MD5 hash:

700111604483fabdb9c4f3bf2ec1b833

SHA1 hash:

469f987e96260c74b24ab0315b02cd7766914490

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a009f2f9-314a-46af-8964-8516f4eaef33/

SH256 hash:

86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5

MD5 hash:

4547d92046a773ade182813b8dab2808

SHA1 hash:

c93a0f354cfc5d4ede8ac6598fbfd48270344367

Link:

https://www.unpac.me/results/a009f2f9-314a-46af-8964-8516f4eaef33/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86564d4471500d3932d0afddc8a0a524982e6b7f3a70630d47e214d31bd166e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample