MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5
SHA3-384 hash: edee45e5e45d712d56acadb4c7d0edcb0dc6a112c900c32c6bff550c3583f5abf259147061c2e3460e0de2c0ab17d38e
SHA1 hash: 844658856b5537fe495c0bc5acf19de7e6876a5f
MD5 hash: 0f20d5589ea196c02d601a6ae7cd2ef9
humanhash: colorado-bravo-johnny-mirror
File name:shippin document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:734'208 bytes
First seen:2024-04-28 09:20:55 UTC
Last seen:2024-04-28 10:35:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Plv312Z3BBEGbRDkxO9HFp5vGQ+euZPYvrh+Mck1kBLERGBn:PJ312ZBvbRDXPsxZPYvl+Mck1uQw
Threatray 626 similar samples on MalwareBazaar
TLSH T19CF422A537F95766E0BD2FB80CAD001403B6781F1A34D32C5EDA65CF19A1716DEA0B2B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon ccd444444444d4d4 (6 x Formbook, 4 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 09:35:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df4b80da-36b2-4621-bc73-da68e490f180

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys packed
Link:
https://www.filescan.io/uploads/662e150054bafb7d21e36481/reports/ae772433-2a9a-4589-9597-3e54fae2ff54/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58b9e363-171f-4c66-9a51-b24202be8575
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432833
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-04-25 13:55:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjicjst6ot6oqvg37omjycs6h2amdzygec3pxjvxcjvgqqwoaksq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
Formbook
28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
Formbook
3eebc98964a6d4a81fd0371df1a6207100e7bea4eb78a000bc2accb0f10e6e7c
Formbook
48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Formbook
6465b2c5702a723c7229e33fdf38676e3b0e0049b5b632e2fe6e210713f6a7e7
Formbook
864b5669f18681ae03edbd7c3b3bbf6732e55191d4883f18783eb9c611fa9a17
Formbook
92044a1dfdd31eaa681683708cbdd3c75e398f35a6ace235926946dc5fd1715a
Formbook
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
Formbook
e13ff8371479ec562aedb0e587bff6d0bf55b78d70568f8d934687fae50454df
Formbook
f24092f3ff18dc8a33a8e87f1cd0271aaeb22a1d5202ddf59979b4b8d0d784fc
Formbook
+ 616 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240428-lbbehsce46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
32bf6832143ab8b98107d3b25754742ec33ae043ff125d27869caa287023515c
MD5 hash:
16e913c65371613cb6dd1af205ac6efa
SHA1 hash:
6b47bd848cd17039b60b6e9c80627c2516f19af8
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
SH256 hash:
d901a47b5b4ea6bf997e5838a1f0966128bdb992e60962b0b334e50d0babaa53
MD5 hash:
80ed8eba3fe3c574e0a540cbc79488aa
SHA1 hash:
e6065d954bbf8a45daea1d9ef9fcfaac261ff88c
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
SH256 hash:
3074b4b3e6d23c8baf4f7bb050db93bd8f8bd060dbed17b3927beb7c11603e7b
MD5 hash:
94b9beac20daa459fa34181dc35dcdb1
SHA1 hash:
ede548c6a2e1befbc610fe83ffbd737182f2871d
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
SH256 hash:
a3de65d9607fa28995b6d60b0ad501d36107454865c7a74e8121ec11320ae565
MD5 hash:
7dfefede4d4b4d15fe2c4d83996e9e1a
SHA1 hash:
62e0258f0a8d23d17225ff7ad0b304ab12a9fd6a
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
SH256 hash:
9d29ddb766975d283e42d47ee67fd1f3b88ddecf6defe6f408651984a1eb7313
MD5 hash:
fab0e6b2412a13709095243bcf12af07
SHA1 hash:
23ad8b746833f68dcad791f23f3c7f236af907bb
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
SH256 hash:
8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5
MD5 hash:
0f20d5589ea196c02d601a6ae7cd2ef9
SHA1 hash:
844658856b5537fe495c0bc5acf19de7e6876a5f
Link:
https://www.unpac.me/results/59bb73ea-de4b-4804-9683-3c407af6b4d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a5024ca7e74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a5024ca7e74fce854dbfb989c0a5e3e80c1e70620b6fba6b7126a6842ce02a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments