MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567
SHA3-384 hash:	5a8464a34810fd5c2b95fa3dfe0b34d690cbfe051bf45c368a9327cc32ce1e8ef4828390d9c371c344478e513b6c30a3
SHA1 hash:	f66e91c3aeb66ddf1f6b8311b87f5fae0c76fe15
MD5 hash:	d986e16ba11252dcee1510a57a64fb58
humanhash:	beer-island-black-quebec
File name:	8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567
Download:	download sample
Signature	Formbook Create hunting rule
File size:	871'936 bytes
First seen:	2023-01-06 12:48:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:zd12iNju0x2cHss/S+PjWofmm48t9dY9NwblhOLKBvMZsfT:zr1Vu0x2cHs6SqjOm48bS9+hlvMMT
Threatray	17'250 similar samples on MalwareBazaar
TLSH	T111059E8932F29033F6DB02301735B9CC0D726A43797AF11A9A677BA49131DFF7A94216
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567

Verdict:

Suspicious activity

Analysis date:

2023-01-06 12:48:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa8b20d0-b477-49b0-acfa-246dd7bb5b87

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/350043/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed phishing

Link:

https://www.filescan.io/uploads/63b818bf40e878e304232cfa/reports/73210285-2e49-49d7-b43c-366f6d3a345d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9515d913-c7b2-4c6b-af75-b6497521b00f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1146297

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-03 01:34:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 40 (70.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r2mugefca4epvaqoapdpxaxaw46fltinyddqhoyoitko2z6davtq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0c99ac0f354ca12ab65c083c65b5d82ee242f9dbc2e5bdc8d9354959d655af52

Formbook

0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376

Formbook

1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2

Formbook

61977941b6ece2c52ebec3b2d38b4e3f4b1d4713bd6b3ddb0f0405351e2adce7

Formbook

74f7661ce543ece586c81b95a2ee3174ca65e17369a90bb6522aa1cd34524754

Formbook

9d1ee961410bd91109f256fa8d0976d53e2c317e8ef55ad244063adf7865afe1

Formbook

dc15767e2e5c4974c34576284c24ddc5ecc8d404bb4924b727b0a10f7d95355a

Formbook

f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644

Formbook

fccf57db9ef1edb43daabe262bc2bca44423ac7beab6249ceba5f87d0d15f97f

Formbook

+ 17'240 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230106-p2cbaabg6v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ac48a668-4a02-4994-a626-5ac6977ea556

Unpacked files

SH256 hash:

c9aa4c9150f58234fd5feff9142434e919e36aec267f208cfc16d6ca3d42a96d

MD5 hash:

30ff67b5489bc8364a0e2e5b5035cd68

SHA1 hash:

76cdc482ce820f5889429653f76f20f8f022de84

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

Parent samples :

1e127318c1ce80a94092d002caa752b9e4a8c0ad1c8c86953389ba05b9b24eb2
74f7661ce543ece586c81b95a2ee3174ca65e17369a90bb6522aa1cd34524754
0c99ac0f354ca12ab65c083c65b5d82ee242f9dbc2e5bdc8d9354959d655af52
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
1200bb8db6fa441d0e9a752853cdc84841988a5e75510813d648153402e31955
9d1ee961410bd91109f256fa8d0976d53e2c317e8ef55ad244063adf7865afe1
f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644
8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567
61977941b6ece2c52ebec3b2d38b4e3f4b1d4713bd6b3ddb0f0405351e2adce7

SH256 hash:

44025022362169baa09442690969ab14bfc9dbd65b2cab6f6c963aa247706391

MD5 hash:

e0fc6615a88b2a263cb9e418abcbb612

SHA1 hash:

b774b2590170b49031a85b2873a80127392e0fab

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

SH256 hash:

682e8f85dcacb756131a62f06de935a80843c0677cb69e0d8352204af6e94d8a

MD5 hash:

58519d896af16bf32f825c5a0afb2168

SHA1 hash:

d6a3811343ded3b1d982c6438909097ca9dbbe9f

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

SH256 hash:

22a99e2740dcb5fcab542cb6ee33472a01b8f226f76e031e31b9f00ca1b08b8c

MD5 hash:

bb7995fc982c684be3ddc978e7853bca

SHA1 hash:

b5b9064f2f4ca6b8fa9646700d0bb7d0e0acbd55

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

SH256 hash:

e63043ffd20f25904aa7c712b0d4ed04352177905a8552ff615c473ebc6a21c6

MD5 hash:

9bca9901716f6615eebd691db456eafa

SHA1 hash:

4693e3c1d5704f1e9be9959bfd9faf37be158f40

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

SH256 hash:

45ddf3392d23dbb4530497e3b1906be0e8414ee7ef1dbd1ad9385d13f11cfab6

MD5 hash:

2b53c4b8dec46acc57613eb4752ed9c6

SHA1 hash:

0f91704be97c0e87da6d061d4b15e1ddec1d8e55

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

SH256 hash:

8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567

MD5 hash:

d986e16ba11252dcee1510a57a64fb58

SHA1 hash:

f66e91c3aeb66ddf1f6b8311b87f5fae0c76fe15

Link:

https://www.unpac.me/results/f8cf8495-ca99-45b0-aa76-8936a6bad097/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e994310a207/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/8e994310a20708fa820e03c6fb82e0b73c55cd0dc0c703bb0e44d4ed67c30567

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/350043/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample