MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
SHA3-384 hash: b5c7e414471284c2607926aca976d2ced797f569ea88db0b3c98ed2251f204f90f97ed0800f0f03c2cada28210817d45
SHA1 hash: b02b66803810d4ea5f0175eec0f6ea20c71e0f81
MD5 hash: d983a6bb0fa615c1f998f26d60635cad
humanhash: dakota-sodium-victor-two
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:701'440 bytes
First seen:2024-04-30 05:33:41 UTC
Last seen:2024-04-30 06:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:3oB778QlUw25OFwhXX8jvrThGAYpizieTS7+DKzF4epNQGY45fX4pp1MbPFzg813:4B0BFX8jvrtGGTwzFdQx45fop1M7Fa
Threatray 650 similar samples on MalwareBazaar
TLSH T185E4239CA2EC17A2C1EE47F53CA65602177825078F41DB4F89CA30CDEE67BD1A081D5B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 4018f9e960e20464 (19 x AgentTesla, 6 x Formbook, 2 x PureLogsStealer)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 05:53:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75d784ba-9d7c-4044-be20-ba6ceb3ba758

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/663082d254bafb7d21e6e891/reports/ce8dbf38-891b-4843-a10f-873ec3b26a5f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/739fb2ca-3c03-4828-9adf-747c4949eab7
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433832
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1/
Threat name:
ByteCode-MSIL.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 04:49:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdzi4uct7efcw2hbd5mz6qjw5l2gfsnnhtzrtsliql23de4gv3yq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
Formbook
65568cb4787ff10ab578303eb912096f39b1565eabcc74263502e8e3540aec73
Formbook
8cb37e1ab48747e7fb63dd2ac1bffe1c9f0fa98c160613922a995935d6abd2cc
Formbook
9172e4c414e78d7439122599ea987912ab0385b4eaece0ab86c5ccc6dd138bc7
Formbook
99450e636243dad54861d58c1e62fae329b69b4c9af6ed1f53fba851d20b2fa7
Formbook
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
Formbook
cd00f31be2b7bb08d5e499cbe39d3ab9d5aac66ba0a5e5ffc3e97bd9cc598fc1
Formbook
eedd6d6a9ec4bf82ca87e66c1ae5b86983e8479598df71f3602283b93dd07035
Formbook
f24092f3ff18dc8a33a8e87f1cd0271aaeb22a1d5202ddf59979b4b8d0d784fc
Formbook
+ 640 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240430-f9e8gadf66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
559ce5ccc4f2bd043013d3be477b70c60bf6bdfe7c8c7c4326084ebd09da5569
MD5 hash:
8faa930655425f9ff65742eaa7ad7a7a
SHA1 hash:
532e054082236beed4c6fd9c9da00f5deca1eb24
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
Parent samples :
2c6743d140bd170b264522e188628f73f1b8e21a1712de6ddca0f44cd5a312a8
88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
SH256 hash:
5536a12dfbd2d3a158c7be6fdec8b510b281a4a34f896b356d1f4a7e41dd87ce
MD5 hash:
9de907a8c7112dbdf6172e6bbf663eb3
SHA1 hash:
d3f802adde7b08d9a5cd37e8a188a77fc41b73a0
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
bfc8d72b7fbe7f027b70ada30d9dea3d03b15073f442f93c74c19572d4ed7742
MD5 hash:
d7b68b73ac8ea51c84b9574ead8d5d28
SHA1 hash:
9d350b551d4df35d4c73a3cce59c5a02321ae4a4
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
396d5e75adc2cd37d53a523ad3b1214573db25d5de3e8ea9accc72e8cc55385b
MD5 hash:
ef58d4fd581210794351f5d9ca40c9bd
SHA1 hash:
00ff0cd3367c59792beabf231b5649432752f8e9
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
8213a6a34c36db37675298dcbbbb36451ddf233c1af7e8783be225d3e4c08271
MD5 hash:
a2f5dafc17432fdea2f85c9c972167ca
SHA1 hash:
004139faa5268e3fd9fcc92710d0e331d32a2d7b
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
16b6853002bf76974204d84233775c2dbfb923e04bae088d71c078ddcc43090a
MD5 hash:
c22255f8c25bb495dc7e3b6cd890905f
SHA1 hash:
ddbf0baf537fe4fb13dfa2cdfb86d56544d019cb
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
864dd77fceb3232b5c79ed06c5940973c6c4d41bfd5a709a37ee4c20560c9d30
MD5 hash:
606bde1909f6101e1bef052c712dbb65
SHA1 hash:
92e8adfcc4585b0a22736c7f44e754ec83b0e037
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
fa41b28c6db2548c89a14f572747a76bcf9660fe343cac5a6ddcc89a4ce775ec
MD5 hash:
7f75de2ade0346795a85738114fecbf8
SHA1 hash:
8cf9b63ec26ae05c993739e0a1fee36af124f69b
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
9f5f3c8d907a144b5b7d197c59580ef162dade91def171fc83f70c13c0489081
MD5 hash:
1d4135a08d9b7546709e027e526eaea3
SHA1 hash:
4bed322f01ff57516e393a74f7c5171e3ad8eeaa
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
a3306cd5d719e09271572180ed8842bc514bb9a49eaffd102656965e054dc9bc
MD5 hash:
9f83fd06637eb172f441b55879f894a0
SHA1 hash:
42eeaf68722e586ccb92b5329535fcfb6ef8a6da
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
62c62f7e7af28f55f0d2fadeeafc5b4826bb56567432dfe2058c72a72078a2b7
MD5 hash:
1d813bc2c8f75b0d0266bbb181fefdbc
SHA1 hash:
07befb643773b43eff2bf87ec5d58f20aac9cb45
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
SH256 hash:
88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1
MD5 hash:
d983a6bb0fa615c1f998f26d60635cad
SHA1 hash:
b02b66803810d4ea5f0175eec0f6ea20c71e0f81
Link:
https://www.unpac.me/results/cd345b88-f33f-4eb5-af5e-7c2eb162dc4e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88f28e5053f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/88f28e5053f90a2b68e11f599f4136eaf462c9ad3cf319c96882f5b19386aef1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments