MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764
SHA3-384 hash: d210bbcb87a6b2c422842202dbd43d5a6aa9cd9f56e4257bbe718577e87d0cdc8febc790b51e2f25fa40b0183e5d6ed9
SHA1 hash: 3acabb0dbb9d88b388e0b068c98c53605de367f0
MD5 hash: a79a555d8074362ce42e03465fc6655d
humanhash: rugby-pennsylvania-whiskey-carbon
File name:a79a555d8074362ce42e03465fc6655d
Download: download sample
Signature Formbook
Create hunting rule
File size:974'336 bytes
First seen:2023-07-19 07:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:Hk70TrczzmYJqlHIJYhO2VVP1ru6DGt1blxIj:HkQTAzztJcoKhOgVP1rjD417Ij
Threatray 403 similar samples on MalwareBazaar
TLSH T125251225B0C2C1B3D977017044D6CA6A9959B03A1F75D6D7BADD1A7A6F203F0A3382CE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a79a555d8074362ce42e03465fc6655d
Verdict:
Suspicious activity
Analysis date:
2023-07-19 07:38:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fda30a3a-bf7d-45e2-908d-848de6ccb3df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424518/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64b7929f7a9c6ddebf0ba561/reports/7bff98fc-fea7-483d-8033-416be05aa93d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e704feb4-05ac-4380-be7e-e65da379eb4d
Result
Threat name:
FormBook, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1275740
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected FormBook
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 12:54:45 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 25 (88.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=recp44vxoaqvutr3zaxw4h62s5lkcr73q262yl7mp25mk54gm5sa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18b15672bacee7b796cee3c6beffde75c0f7ae628b4575778fe3328687f9a9ed
Formbook
2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f
Formbook
2beabdd285adf915fc07418c5f9e57cc4430f766b838e1726570c21af4868f18
Formbook
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
Formbook
4339763c2998a0b0a63f0a1e0034decd766d3fc8d3cf35e946a7b12c9e34ab3e
Formbook
4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49
Formbook
67b07cfdc4ea5fcc63a80b9411e5cef72576ef6b398fd43cab2415dcbacd5ed1
Formbook
b5d921e0f8d51e9bfb643766df1ec884d787d2fb16d7f78a136edc801b1eeca1
Formbook
c5b99e7807cf9f4add86f8521664eb8416fd87532cc8378076826ccdd74adcc3
Formbook
+ 393 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230719-jgdqqage68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
dde3e331a14c0868d74333b073d7a0dc351f1d58e4c21ac744150a9df30ff89f
MD5 hash:
0acf4e33dafa422fac3b602504e7d40a
SHA1 hash:
6bb20490721e93e973a5ce6b4904df1102c930d5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
SH256 hash:
842dee7b874ef6f8d59e483954a56946362d6168a1b1b045a526addbc68c920f
MD5 hash:
03255022dfdaab357a8cc24e3a56d90b
SHA1 hash:
1ec5d0d9867536e5ca1758f41afc68826389e1c0
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
SH256 hash:
55771c2d59ea2e00ce0f867575a5e272791c1da10c5bba6fd1c4a329bb69ddff
MD5 hash:
83f86f87f531c50b38de724b48213f40
SHA1 hash:
aa572faf79a04f77cdc5df81ccb5e0529ed00bf8
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
SH256 hash:
faaae4322148f518df079221a284affc0c048913750d76baa6371d3631101360
MD5 hash:
757de7f9faa8f3a5d85c25b86eacb64f
SHA1 hash:
77bbd7c6082b5e9ae83017f56551c42dd62666d2
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
SH256 hash:
313ff3641e35cc8c5c261ea6a3c8380b1f7bb36d9bd15e56b8aa6c3b82b5eef7
MD5 hash:
95b92095a418cd46378d7328788f7f94
SHA1 hash:
2ade8f3328380d9f80de41badc529423ab049032
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
SH256 hash:
8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764
MD5 hash:
a79a555d8074362ce42e03465fc6655d
SHA1 hash:
3acabb0dbb9d88b388e0b068c98c53605de367f0
Link:
https://www.unpac.me/results/dbedb358-38c1-400f-81f6-e68dd2b9251d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8904fe72b770/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2685668/
Cape
Cape
https://www.capesandbox.com/analysis/424518/

Comments


Avatar
zbet commented on 2023-07-19 07:36:31 UTC

url : hxxp://84.54.50.31/Ari/MNKLOP873.exe