MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
SHA3-384 hash: 30f44a1e7f1194d0a96640979200fee1fce42f56a383dccfc7a59154c6d940ce22e54cb1272eab919e0f9dfbe7b97771
SHA1 hash: 0c63b51c519c20d9a44d0d87c6790e17c57f0461
MD5 hash: d3b66948e040fbc4a2c415a2aa4b9065
humanhash: autumn-ceiling-florida-arizona
File name:xl.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:929'792 bytes
First seen:2024-11-28 06:20:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Y1ZnaHQYwva7TFeXglCIWi7bedhLGX407NC74kX2th9g6TnC:Y1NuQU7xqw7b4hLGXVCUGWa6T
Threatray 7 similar samples on MalwareBazaar
TLSH T12615C43E19B9622BB1B9C765FBE48127F07096EBF111AD64D4EB436A4306A0374C327D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lontze7
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
431
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xl.exe
Verdict:
No threats detected
Analysis date:
2024-11-28 06:24:39 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/1a91f12b-6b74-4f26-bb8b-d28138a4d50d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.38.8829.30863.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67480cd8b31374f098355503
Tags:
virus gates shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/67480bd4d3b2d0d010aa4ba4/reports/2be0e604-72b5-4b0d-8cc0-7d2abae313d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66aee902-816a-4554-98db-4d507731dbc5
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564311
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564311 Sample: xl.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected PureLog Stealer 2->24 26 Yara detected FormBook 2->26 28 7 other signatures 2->28 7 xl.exe 4 2->7         started        process3 file4 20 C:\Users\user\AppData\Local\...\xl.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 xl.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2024-11-27 07:58:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3h2yokvv6plntau676476xyhpu3sjaptkdsicegejyqru3kh5jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
1cd3d14faf26873468674af56f8057334ac672b1579a538764ef87fc107deb52
Formbook
4af0929bd0f58119fc1d0a81205f20e32411d76eedca5bc5a3547cb9707a0f50
Formbook
86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241128-g4btjavlcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1555e2d9-5a00-4099-949b-c915accc44e0
Unpacked files
SH256 hash:
bdc23456ce61aa31a2925dc6201f0921b8c1739050161ea1e73226508c4c7a31
MD5 hash:
a79732510e14c36ddf3c914122fd5b6d
SHA1 hash:
1a1266b2476d60a4a019984e8d8c63fb6d258d26
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f3786030-8838-4276-ac33-2a435d21d880/
SH256 hash:
df81c7b511ff403059371a4e5c223ea5f841140fe756f7a08cd208298dba8341
MD5 hash:
dae13cf20d651f125b451a1b86f51e84
SHA1 hash:
fd1cb4db72925eb8e25456a576803f5df7e56695
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f3786030-8838-4276-ac33-2a435d21d880/
SH256 hash:
8fe7376b08710100fb3cba9ef949000b7787c636ca1a762d085d17a9147e44dc
MD5 hash:
1547b96162d918d62aae09685aab2797
SHA1 hash:
809ba4798136a324164f005ce7d592bf3e5a22d2
Link:
https://www.unpac.me/results/f3786030-8838-4276-ac33-2a435d21d880/
SH256 hash:
d991fd32b60c1b9fd1437323396a88c9e29d00bd5730b6eec28a8a8d143af3c4
MD5 hash:
4a87795ce82f759e326a33dc03261d32
SHA1 hash:
126b213518ca376d8cb495d8097434a98a2da553
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f3786030-8838-4276-ac33-2a435d21d880/
Parent samples :
868a520694e9477aeb67c350fb599752c94d5b541dcf14a334422b7b020e5d92
3420372e13d30995161a73ca1b87f59273f2e9986e6763b87527d91ed53df8ce
006caf81989c17e5473fcb3a5b1d6dcc586a6f85ef1feab122f051f125568931
9f7bbe4b657f8a881b586469be5915b8e677b5a9bc111a5296e90030c7ed0ffe
dda809f369a6369d2d26e75ff6cf321d2fe052f3eb0074f227065906bb2af531
a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
e6d7aab1f11c4a43a5291bd51e4aad8deee26333be85454161f6f85660433c4a
679d4adfa31562efe8999c9cbe785be55016ae18b38c31d66afcf705cb74a0c1
e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
SH256 hash:
86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
MD5 hash:
d3b66948e040fbc4a2c415a2aa4b9065
SHA1 hash:
0c63b51c519c20d9a44d0d87c6790e17c57f0461
Link:
https://www.unpac.me/results/f3786030-8838-4276-ac33-2a435d21d880/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86cfac3955af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3309930/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments