MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2
SHA3-384 hash: 636e03091fd6326f3509187012230189b73b0e1cedf89fbfe0c203cf344afb0186ed19d94f989c67f432dabc960ba1e7
SHA1 hash: 115f14e5c083de1d3281fe7bb9d2f995813fd185
MD5 hash: 7a2a3cc24199f86f3095d329335742bf
humanhash: cat-berlin-burger-montana
File name:7a2a3cc24199f86f3095d329335742bf
Download: download sample
Signature Formbook
Create hunting rule
File size:1'269'248 bytes
First seen:2024-05-21 04:20:00 UTC
Last seen:2024-05-21 05:20:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:USu1S82mBVrIiudq1WvX17XxUgbpVUxHZsPYE7C:USuU82mTV6l1UYpeHC
Threatray 47 similar samples on MalwareBazaar
TLSH T1D245BE1177E8863BEAEF83775468580487F5F412A367F7891C40B2FA1D137A5EE00AA7
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
366
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2.exe
Verdict:
Malicious activity
Analysis date:
2024-05-21 04:35:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/598b7e10-f19d-480a-9a28-7865eafd2c91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.KeyloggerNET.54.6537.11476.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Tags:
Generic Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
infdefaultinstall jsc lolbin packed
Link:
https://www.filescan.io/uploads/664c20fe81ea6b1eef4944bd/reports/9e2c1e24-0a38-4edf-be07-6bfe4a4c2211/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f5a9105-fd8c-42bc-b6b2-b2f13fb7363b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444746
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444746 Sample: m735YSFaZM.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 27 www.vourechuri.es 2->27 29 www.thewolfai.com 2->29 31 13 other IPs or domains 2->31 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 6 other signatures 2->53 10 m735YSFaZM.exe 3 2->10         started        signatures3 process4 process5 12 m735YSFaZM.exe 10->12         started        signatures6 57 Maps a DLL or memory area into another process 12->57 15 xGDcVKYfdawdPfhOXwKUZwEPvK.exe 12->15 injected process7 signatures8 59 Found direct / indirect Syscall (likely to bypass EDR) 15->59 18 SearchProtocolHost.exe 13 15->18         started        process9 signatures10 39 Tries to steal Mail credentials (via file / registry access) 18->39 41 Tries to harvest and steal browser information (history, passwords, etc) 18->41 43 Modifies the context of a thread in another process (thread injection) 18->43 45 2 other signatures 18->45 21 xGDcVKYfdawdPfhOXwKUZwEPvK.exe 18->21 injected 25 firefox.exe 18->25         started        process11 dnsIp12 33 www.vourechuri.es 104.21.34.155, 57809, 57810, 57811 CLOUDFLARENETUS United States 21->33 35 www.oobzxod2xn.cc 172.67.140.176, 57781, 57782, 57785 CLOUDFLARENETUS United States 21->35 37 5 other IPs or domains 21->37 55 Found direct / indirect Syscall (likely to bypass EDR) 21->55 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-05-20 10:46:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzunckvd3p5lz7bfs5xhyhkeceq6ekz3bqdmkahqhs3k6npoj3ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Formbook
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
Formbook
37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7
Formbook
46bbd8bfd207c958a5a695daefff47cd021898dd248d13c1a0e8b0dbc8466c2a
Formbook
bf1f882e2a1d0e35207cd7cab867bffe933e134e43ff317acf2db538bd4d7210
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
df150a5f4e55998c6688495acf39c9eefbfef604406d8347f1ca1c21a0ea115b
Formbook
f7decb942c4d2f001d2f810978463780697403597ed4f5102a19c27edd649ce3
Formbook
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240521-ex4jvsha42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/310b9260-08c9-4027-b430-0e967d10abbe
Unpacked files
SH256 hash:
b2b6815074069f2edeef13c293eb85569d5e49981fab4265f77f4a270d754227
MD5 hash:
e1b59108ee139906eb80dd3e5ea47a3d
SHA1 hash:
ea2189c15645a70ea766de311acb651b337a1c10
Link:
https://www.unpac.me/results/3cf99982-dc9b-408b-90d2-d39e8f0b920a/
SH256 hash:
6420b119fa876c52aa104c97e100b0c834984e801885414e4b4404f6c30f7773
MD5 hash:
abc6f6e27b04bf35f954e22f96f340ba
SHA1 hash:
212fb62b945304efd3546ccb8a157cde95dc40cb
Link:
https://www.unpac.me/results/3cf99982-dc9b-408b-90d2-d39e8f0b920a/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/3cf99982-dc9b-408b-90d2-d39e8f0b920a/
SH256 hash:
7b729212e302d50dd4ca0b24d384e066097f45499ba0d44b927fa9583843f1fb
MD5 hash:
e59fbd843a61f90205d3397b987c3dd0
SHA1 hash:
0d8aff06846568024283b2a89118baeb30f91c12
Detections:
MALWARE_Win_DLInjector02
Create hunting rule
Link:
https://www.unpac.me/results/3cf99982-dc9b-408b-90d2-d39e8f0b920a/
SH256 hash:
8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2
MD5 hash:
7a2a3cc24199f86f3095d329335742bf
SHA1 hash:
115f14e5c083de1d3281fe7bb9d2f995813fd185
Link:
https://www.unpac.me/results/3cf99982-dc9b-408b-90d2-d39e8f0b920a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e68d12aa3db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8e68d12aa3dbfabcfc25976e7c1d441121e22b3b0c06c500f03cb6af35ee4ed2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2858202/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-05-21 04:20:01 UTC

url : hxxps://covid19help.top/findbin.scr