MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
SHA3-384 hash: 9caaa4fdd80617b8b9cdf0e74df0a51a92e316c9a2f2998b1fc0e37ae9ade1f159e5ca4f867547b573526abb38ce4083
SHA1 hash: edcb94850e63d424604029edf6c720b9d1d6e8df
MD5 hash: 8a53a0551259a54c9503f4cf29a67821
humanhash: six-bakerloo-edward-ack
File name:SHIPPING DOCS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:739'328 bytes
First seen:2025-01-15 14:08:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:/b1PloJNhQ/cWS7stv2EJ7yYqMSKlaU7/IYV51GMER0eTRpqbMLWuRsQsAAHO/:ZiJN+UVsDhyYWKlh0So0IpqwLWueQspu
TLSH T1B3F4BFC03B297702CE6CB674853AEDB863642E74B004F9E26EEE3B877599213591CF45
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SHIPPINGDOCS.exe
Verdict:
Malicious activity
Analysis date:
2025-01-15 14:14:54 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/d59ec32f-a798-4b67-8f3a-9fcb86b7dc3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6787c180aa9c8e7858dee300
Tags:
shell msil sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/6787c25b0d4502ea0c1d00a4/reports/e3bd9c5d-afc9-421d-ac2b-cd541cd59316/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/698d5b70-e9ea-4e36-ac38-172e3c8771ba
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1591871
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591871 Sample: SHIPPING DOCS.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 61 www.lphatechblog.xyz 2->61 63 www.enelog.xyz 2->63 65 9 other IPs or domains 2->65 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 87 12 other signatures 2->87 11 SHIPPING DOCS.exe 7 2->11         started        15 HcXqyZTglEDQeU.exe 5 2->15         started        signatures3 85 Performs DNS queries to domains with low reputation 63->85 process4 file5 53 C:\Users\user\AppData\...\HcXqyZTglEDQeU.exe, PE32 11->53 dropped 55 C:\...\HcXqyZTglEDQeU.exe:Zone.Identifier, ASCII 11->55 dropped 57 C:\Users\user\AppData\Local\...\tmp8FC5.tmp, XML 11->57 dropped 59 C:\Users\user\...\SHIPPING DOCS.exe.log, ASCII 11->59 dropped 89 Suspicious powershell command line found 11->89 91 Writes to foreign memory regions 11->91 93 Allocates memory in foreign processes 11->93 95 Adds a directory exclusion to Windows Defender 11->95 17 RegSvcs.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 101 Injects a PE file into a foreign processes 15->101 26 RegSvcs.exe 15->26         started        28 schtasks.exe 15->28         started        30 RegSvcs.exe 15->30         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 77 2 other signatures 17->77 32 explorer.exe 60 1 17->32 injected 73 Loading BitLocker PowerShell Module 20->73 34 conhost.exe 20->34         started        36 WmiPrvSE.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        75 Found direct / indirect Syscall (likely to bypass EDR) 26->75 42 conhost.exe 28->42         started        process9 process10 44 explorer.exe 32->44         started        47 help.exe 32->47         started        signatures11 103 Modifies the context of a thread in another process (thread injection) 44->103 105 Maps a DLL or memory area into another process 44->105 107 Tries to detect virtualization through RDTSC time measurements 44->107 109 Switches to a custom stack to bypass stack traces 44->109 49 cmd.exe 44->49         started        process12 process13 51 conhost.exe 49->51         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-01-15 07:17:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rplayww5qyxlmnfrl6wuaifjv7hy5vxvenefmzoiabcpsc6iwmcq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a03d discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250115-rf4vhswnfq/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a189e535-59a5-4002-a3ab-97b52a288a63
Unpacked files
SH256 hash:
4f59ffd1f9e8b2088120692bae2d99ddf906cab5d98435baad7ac4073ca0fe81
MD5 hash:
6782ca1720c77e90ba84e9ab5ba4f07d
SHA1 hash:
79e819dde4a4b29ca3a221f89cf73f1fd818f1de
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/ef09b6d7-e014-4799-9b99-358d5b940999/
Parent samples :
b225f4ef997754cc29f699ca3a8aa9aa1d39661d7c3dbc6f36a7c7a5bca235ab
92beab1ebf4cb74018b11571a5db867c2ec9d7bb0231a93a898cc3b7799558eb
acc906177a946e3e7fca9b9d962336e9e4d828297eb86761f610284f57fbf394
7a531101bc8522d52f45933945d6b8728ad7b7f3c9aaefd2d18742f8ec4000cb
bcfeb4ec31e731899a0ddd0a608aa7ecbfbdbf37f4ac3810b275ba6905a1969b
31e7559f21054aca8a1cd2287e322f22e03ac6cbc84e1265c8ac1a3367403989
4d49933551f01cc730f63fd290ecb61f4bfa880a0660f0ec7363e148ef85645a
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
f42de693aaae005ec4dcf3514621f8573b422f3a3ad1bb1af370acc7c5cba233
4ef83ac7a3bdee1a742de8de749c5afa4747acc20f8937301dcba291d1ef83d7
d0d2ac5af6ecfdf27de6c45ab86d521294350c5a64942cd15bb5d9a1ae23b0f1
205e98d299b32e102e3d6fadb9659f713601f8f713be02cec1ec0f437d3be075
6f706398207b1fd3a00de5f859dc840cf8e100175fdabe260ebb96db5980f03c
acdcfb74712f171a6527ea14112eeb4bd482b7ae74f4e2990a946c8ccea8ad65
6be92b0d491f6d5d7f65e01a3336aac1155f091ad6def08b541e07b68eda3bb4
d672848afdf3f3a32d6de454a3408acd1d9cc0c338e65461e63330e9d26128ab
05d3f3857ab465a1886005e6d6138c84b8c19447b71d1781e8169e48c371c0a3
fab2b2eddd748ae7fcbc5a1d0c2e0a7f9c75214a114d9450ca41c85ea9e71a09
1e26f69f063b034aff856a4b9bb1680824e61ebf28867a36fa30e2b3e1727526
a779cf3623ccd0238d0b5d3f01dcc911e1538a1c0a656442234b4c3335453607
c991a3ee832bc707306f68c46786afc17de14163f8d3c757516bac9953ad6f3b
582c078327541d1459228aebf38c9471b78e3a2c03cb9c375622209221970709
77295a1c2d8172b2a2eb3f5f20a2880c168dd10f01830227e4f9ae6d4a5c9a19
d37c856c37f289af0a5cf37c5e2c9ab7b115d401d945426faadc6b48234dc2ba
a4c91afb043246fd8ab645f23ada21aca414339c38ceeefddf33cc8414f26f44
94d68efe46fa5e2e5789d0a3063b48cf486e73fbfab3b84f9203372688fd1286
c21657a9253431b91837bc2089fde8e909f780b5736dd44263e54765d95dfb9d
efc8dba0e301b455b4691c60bf363ce60bc0b44921a2018ce2c1a684df8d26b9
SH256 hash:
52623f7f653468852363e6eecd312eacb8c07d24f3e4d06a736ee88d5945d6b6
MD5 hash:
bc67ec4fbc8d26fa2992db28c17d1bd1
SHA1 hash:
09de04d8f8eaa2f5509b632e26e0d66053e6a3d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ef09b6d7-e014-4799-9b99-358d5b940999/
Parent samples :
701cc76315954f7e5e8b0fb36db44cdb6e6e40384be529670490523be1429d8f
84e892d4627a3a3aa053b30200788bd6942c046d2dadcf5121017a32e10142f2
6f094aa75a8322555241fae3063c17075a6ed5166bfb41c9055c390278178d6b
339c521fe6235de8b0b912c9fffcad6cc2eab721902ac095bafa510d68868c97
06c6a4f57f8b8d5b12406b5b2c8960362c0c2ef3cf74c4dcb49481ebb942230e
c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
845304505e2c101665da5f7c34cff35f470b7a02d7c0218d7bd0d25664cc9cfc
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
3cad0fb9280972f24f68c74e7b9c93dbd446c22f704f3b66cc7f1effc54d7a09
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
1de6c06cde011693219b05444f8e18cf1fe97373d0557a083a6e6e7d836e3153
db86c56e2f1c33504e4bd47d1490709bc5afe4ec1d95a0fbf22510bc3c542a8b
202efe071db5f07fc1570f9f296799dafd1bdcd29085e0b9c8c5c9e2ce1199d5
07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
f89d5db1d93b61d6e6346fa86e914a5b02e927c8eee905e658b0818f76a545ca
784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
8fe18e6c77d0b63ad58b669472c8247a8771c82ce4edc65814bb4c53fe5ab51c
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
7abd614a718eae6e0544e6828c834f275248093b5d807b7cc5c4de975dc7abc9
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
51d5fbecdf7459fc37ab296b97245a020f31cfd4ac1073f3fb2947a3710a8523
0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
0ec77a2b6843ab87887929ed395775aa2280cb4d8d16454827bde96fcb3a100a
4fc7cb2b1080330179c0164b3cbd8b5906375fcadaad566896a5b6468917a21a
7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab
1b758fdf653d34cd62c7fecd1e3023ca5d3537360097676b5cc83b7915c2ac90
489d60af14c516d7b4f712272b1a2803988385e197a5883431d58f7694f22f20
f9075b95c77272f8c8f1b8fa996374c9c8e6bc0e2a6f1cbb6cc2fab34b9b589c
d122657bf2b391fb9fe392a711526b7ea4163bc606d629144c0e7b72700872d5
60541941074f0d0772bfd1b307f3ac777ed84f776bdd89aef505960bc97c1404
5e0237bb820fdcd2bafcaee8be22bb60004ef0f644c9eabaebcad2c423f4d4d4
1f468ba035928b41550cd68056a3e2ba8b4ef5e98b61b45c4562f110ddaba29a
24ce2be70ffbceba0067972a154cba571866cbeca67e2132bc01352f46acd9b6
8078b743d8a317718f8fa77d12caa85019cce7dfeab9da4e268fb4836a7f9e74
d4f10c758df8ca5f3bd16209cf5b82a27b218719453ad29e7f5073d08c376676
13aef47049b6f723e3b24e8f794b9c09e18ed477f62436d1a8250951b4fe253e
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
2e7fac97bc9785e461473c2776be1da2d9dfe7916753d4a3148c5055edeb9bd6
e16ed69e1d337d88539ff98cda8d36aabc495db375d68e4f9b86a1843ad8c679
799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
fea0db3026f3e075b240d97b0ff93ac157c8dc69a7d56a32e3595ed261a9ea55
2bc219aa0c642b6064f467a9abe85ccf81dfd0191377fa4453863384f22b5fa5
5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b
79a83acd6e34d187228950510e8bdcb36f0d3cc6dd9d6d35d40d37651454c1a3
2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
da8f006e36cc66990a1a1f43539bebc73fc9531413ba2960180db55927552014
52588fe73383ccdb5d715ecff941d1ae169a57d49deddcc8e3c06536f2c56795
7300535ef26158bdb916366b717390fc36eb570473ed7805c18b101367c68af5
23b7eb252bc2a67247c1a93f3f810acb46664d21fbb029051297c016e2991bcc
fd3164057ef5cfebb668b25b93a0638edf8d032f7a1e0c13249334bd913a1ad3
d07f3d05d91790637901f276b2b2a13ae4006768c22d9e6576a283a916530e38
eeae24981abf36649d9eeeedaee30acb50374d5567c8543e66b9c337688a7794
887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
12156a70576773f3aea3bb59bcb042ddc4033a7e0c1ec5dadaa8df2470a53664
a932a1ece48c319e2ea472193afc00132644c7540b4d0156b1c9b518c54869dd
a91e52d4bedcc2c8114e3f2ddb80908c4abb92b0838689a14818494009088b95
7ea98bae6d7f0176c1ae6cecc9bfbc8611304fe007899d8d989425c7b13f3339
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
9410ad58ad07e9b3ed28bc9be7a567ed733e14ca0de9faa470cc7c200ddd917a
2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
232a7e46e445365072b4a136330efec9284ce63b7b1525442a10f68a8ef02ee4
1fa03ffa990685dcc676b8706fd5ef7246de2c18b97c14d882ee25b0d130955e
9529683e6579dc09cc61d5f2e5909d922f2bb589586d9c2350642d525924c1c4
8bcb1766e1f236382b36fab2fc6a8ee385275c0acbf3067471cd9b35703f2875
9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
ece49e828c96a3cbc96535f04ef66109c997cb13a87850c4b66b3de0fd2818f7
320daf03f7f2b9e697955ebc5c479c51fa3fb32caf789187c54b52749550305a
01e140fe679c25634196075a34eb5c8594ec3631571023282955962b3dc1f609
0d222d3b5efc99f87cab1fd26440f65f531c1058dad5d9153e45331bbcf5e856
f7fbfc0649a348b742faf012fd443a55ee310f475a9b58d7b07ede4e0428f494
b5bc975891963c29a16fe8ac7dd612f15afe937fd14ba95707a6ab30224bfc7a
f6093a0d468e3cd2df9b2563336ccbd3b5783e8c06c52e296770fc31fe5257f4
99430e62ab4f67847bae708e0414b25e6df4a3631c7477231ef4bb3c214d37c3
25f9a9731702553929452710d25a8587ca7e7e7ef9494b7f82c6682a2cecf024
9d206d3991c8549fb048a2aac2bf5aa7d25c0958713fc8f3aa2bfec18d47dbe7
e07298c237f7f69d83c9760409b8c38dc311581008c751c3f6ddd37bb408cc87
e3ce6cb3e592837181c06c157cd1afd190afbedca9c66da7f4dbaf58c51afcd8
143a58287706e26be705b3756cf1810922cb28e92954ec6e669131178bf196fa
089e95b16d5f1acc07ddaf59d1edf60fd52ce6cd29f4bfa17377f4a68c383d12
662c96f27f4533d72e97b4cffe31be71d810dae4e6c1ac981060c38d3f627142
a5d951ea30a7079b09113a1f7d98abfe809f8030be45de8f8f9e96a51778867c
24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601
SH256 hash:
68fda8eeff1540456fcea839aab088fa628f4e9a5b76d6221760df1e08133de4
MD5 hash:
702520c7ac40febd60addafd6ae54b37
SHA1 hash:
019c20bd2290249a5fe537c756d729540443b4a7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ef09b6d7-e014-4799-9b99-358d5b940999/
SH256 hash:
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
MD5 hash:
8a53a0551259a54c9503f4cf29a67821
SHA1 hash:
edcb94850e63d424604029edf6c720b9d1d6e8df
Link:
https://www.unpac.me/results/ef09b6d7-e014-4799-9b99-358d5b940999/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bd60c5add86/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments