MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d
SHA3-384 hash:	1d9791f04495a1d5e4f44e06dce0a1108e28b60e222ffae50a610c4a3894d42e34791989ef170e7501eed05377e0a01a
SHA1 hash:	7bd8ada4b3844b9046823f601211a603040a2038
MD5 hash:	6befcaeb9a7e63e4e08065d7731e957e
humanhash:	princess-cola-black-july
File name:	TT COPY_EUR88,000.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	662'528 bytes
First seen:	2023-12-22 06:55:41 UTC
Last seen:	2023-12-22 08:18:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:yKMmomWOHSk53jjSOciaJbvwqsjGVrS40HvpfUX57/ETRP9b6iDZzXkRF8F:8b/Bk9jj3cXmAMHvpfUlEFZ6iNzXkRiF
TLSH	T1A5E41228736D4207CC6E4AFB0462751497BB60639912EBD71CC7219A08FAF11CB85FAF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0060796969697000 (8 x AgentTesla, 6 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468927/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65853309439457868c06b100/reports/918e17ea-8ecb-4de5-8dc7-e0a6d0ae7ddf/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0c188bc-828f-4ba5-99bf-6c16c40d86b8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1365992

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-12-22 04:47:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 37 (48.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rxwq3ie7yc4js254uund6aawnhufu5fx3jlkmtmxyelizdlkjmgq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231222-hqcpcadbf7/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

11b517d2b0ee4895d2fe6648dc0f0fb568df5dce1c84b8f6e33b1063a410d583

MD5 hash:

3331616689dca9c26117d8d206255cf4

SHA1 hash:

ec5ebbdfdba931d5700cf7361a67848719e4a001

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

SH256 hash:

38abd7d6fb7d6966bdbe4cd7126256103a23ffd5de8e5db042e1cf77324a1c28

MD5 hash:

ed2a266a1deb44dcb808412b6ae40d64

SHA1 hash:

fa71030a213fba3f1cdfdc0ddd7b1c45d26d6917

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

SH256 hash:

bb265a8187cc1151c765128f6b8340c01b6283e29a3bbc8a3086a6c0a822c604

MD5 hash:

cb694dfef9a731230d1534e865e8f9b1

SHA1 hash:

defec996a4dc314488b016d7727f6c22ef4917fd

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

SH256 hash:

24de38c1cfd9d3ed5e233f72f16fb2bfb95ebe9070e9f7088b2c105ebcac9ed9

MD5 hash:

ae2fb8400632b632b55392a7936989b2

SHA1 hash:

d3c25d8e2221c58b3faff27161b097c1e63aa658

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

SH256 hash:

e3d65bd9581460ee982d8040e2376222317843cba4c45e1e8567a4bb2d426f66

MD5 hash:

0a64362f023ad6fb6846acba666136ef

SHA1 hash:

1cf8a0db76830c2a093084e2b04f268648a943de

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

SH256 hash:

8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

MD5 hash:

6befcaeb9a7e63e4e08065d7731e957e

SHA1 hash:

7bd8ada4b3844b9046823f601211a603040a2038

Link:

https://www.unpac.me/results/654606a1-fb31-4149-a193-a6a01aeab406/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8ded0da09fc0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468927/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample