MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA3-384 hash:	833c182aac62cd829382921469ff1f9fd1d3497e2b861f4fc0133f1d19f0ee802d5529cafe107609f04f0d752379d832
SHA1 hash:	a4543f2d4229c545470b6ea0a9d6a5757c98136c
MD5 hash:	1faa45e14fe03e78207dd61fc06cebcc
humanhash:	seventeen-whiskey-arkansas-harry
File name:	SecuriteInfo.com.W32.Injector.ESDK.tr.22022.2855
Download:	download sample
File size:	102'912 bytes
First seen:	2022-12-07 03:30:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0a200be649d9164028d0a240c9c38770
ssdeep	3072:EcP/srv1kD1hwhKT5wosunTA6zet5e6CJikb076V+axLV0:EtrQwBo3+5mJYk0
Threatray	116 similar samples on MalwareBazaar
TLSH	T107A36B41B5C0C032D876193159B0D9B65A3EF9300F609AEB63A81A3D9F357E09929F7B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Variant.Jaik.107269.5046.9762

Verdict:

Malicious activity

Analysis date:

2022-12-07 01:31:31 UTC

Tags:

formbook xloader trojan stealer

Link:

https://app.any.run/tasks/b6c3fe78-3642-4086-991d-401b642dfe2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/343685/

Detection(s):

SecuriteInfo.com.W32.Injector.ESDK.tr.22022.2855.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/639008f755eb3470cd4fe608/reports/df1a0cfc-1d0a-45ff-8574-f6e06ab76998/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1a8d721b-a340-4c09-b263-5ad8b7e3e380

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1129567

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-12-07 01:02:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 26 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rfxvqhfkga5mcewo5fe4remilz7dxbhgn7eebspjifu3vhjv4buq._file

Verdict:

unknown

54a47c70a79eb9ebc5960194d1bfbf3dd62b415f0d8731ec36444ebcb863faa6

6e8de74475e365bdd0f573a03266f447a13f30a76cc2c71d14c1fc5607e1ae5d

783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06

7ad292c3e81fc112732c566c056a85997a5b806815c7be77772a978ec6734ad3

90dba6160a0f697f8117d9c4e41c4df42fe29fd8a3b69644fd17e664f41f5196

91b5a61f0615710ef9ca5fd015e1cbe36b908516c5882463e4bdc694133c0829

97a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd

f830ced2c0d06737392dddabd93828fa37430b0c6ec27cb7186c46d5e2f570b8

f88caffeed956cd5b1671dde49bfc61dac4fd2007b46287debf7dab6c179bf46

+ 106 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221207-d2jvksbe57/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/33fadad8-877e-4205-8aa2-b84f74997022

Unpacked files

SH256 hash:

896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

MD5 hash:

1faa45e14fe03e78207dd61fc06cebcc

SHA1 hash:

a4543f2d4229c545470b6ea0a9d6a5757c98136c

Link:

https://www.unpac.me/results/7ba6ea75-49ae-4ac7-af5f-1bddc805f608/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/343685/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample