MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 17 File information Comments

SHA256 hash:	866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095
SHA3-384 hash:	6277eafbd474a2b6e04260f702bbf1ccef592e5505c344c10dbde687b59f8c73864dd1ef459fb1c818c76e6763814add
SHA1 hash:	d34061308542ffd1a0940dcbdca8fdf54aaa3b85
MD5 hash:	280b7fc7691f4ef2ab7e4fd6a0ed9c62
humanhash:	wolfram-cat-william-massachusetts
File name:	SecuriteInfo.com.Win32.PWSX-gen.9403.13485
Download:	download sample
Signature	Formbook Create hunting rule
File size:	629'760 bytes
First seen:	2023-11-03 19:13:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:dALLsbJC65ntJmIoOoXpaxl7DAdMpMAwDADqS:dALLsb77oa8SHq
Threatray	19 similar samples on MalwareBazaar
TLSH	T10AD4122877B95B11DAFF87F618A02444077670EF7566F78C0D9061DB2261B80AFA1F2B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.9403.13485.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6545467f2546bd423f10995f/reports/487317e3-5907-438d-b0c7-4ed937ba5a1f/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/95e412d3-bf3e-44d8-8643-e40cc5d65be4

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1336893

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-03 19:14:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qztzh6z6lwqlguwsn435w3pku45vtaazukoaing2lkafyex5uckq._file

Verdict:

malicious

Label(s):

formbook

Formbook

7c0276edd9ce400d92a0b135a90b3d0f055991aad22ba1acb0fac193636eb621

Formbook

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae

Formbook

866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095

Formbook

9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4

Formbook

e4b2f31e7c9fb2df6cf161898f23653c49d758f8f733e5910b99f3fd998569e0

Formbook

+ 9 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231103-xxl9paha2x/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

040ebacdf0891552a5a175b21e5bd647ee9db167565e025a18bba0d5cbc892b5

MD5 hash:

de9e427377706d0135c4320ade02240a

SHA1 hash:

f9d15efffc83e78c6ce05e6120ef1aa5bb873859

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

Parent samples :

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
c213ee22a5995544b5e65e22ee4fc7084d165f5c0d1037d773dd4e44ccffc686
866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095
2772267437ac2a4a39e1c4893788b420e3eafd75c0517c3d8bb58516c8e2b196

SH256 hash:

0ba1122a32e87e976c3c1076bc93d38b8da59635dd7541bbbe393cd6b76170ee

MD5 hash:

114a8ee279e136584a12827ac26ede30

SHA1 hash:

72a7bed5b5e5c5a69a5570772d22418bbe55e9f9

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

SH256 hash:

2fc6e7a93e0fbed4e6ca48c98af13c7339db7bff52a1bdce39b1c83c8e453878

MD5 hash:

af053f732b77a9c89118b0e73d2dd656

SHA1 hash:

64b34d32f5dca8ec21ffeceebe6d6c9dfc562c4d

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

SH256 hash:

15d80755306e2f0cd9e5f3634ca4ba5642f7c0ecdb341bef45b9204d09063ac3

MD5 hash:

a2fa10b5d8886aed1694730753f3a98a

SHA1 hash:

0662f4cf0a63fda35d440d3830990c93dda63c1b

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

SH256 hash:

866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095

MD5 hash:

280b7fc7691f4ef2ab7e4fd6a0ed9c62

SHA1 hash:

d34061308542ffd1a0940dcbdca8fdf54aaa3b85

Link:

https://www.unpac.me/results/5027b809-8113-44da-9307-981bf8f71c21/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/866793fb3e5d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample