MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 20 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
SHA3-384 hash: 3e0563aadae62fb279810c5ae558001b611221cd03751f10620b28dcb0ff777d19c7aa1c0476f70e83d1e368ea46443e
SHA1 hash: 7c0a254a2a2db4dd9dbff900fe59837ac43b0535
MD5 hash: 0ea00cd19382a471a5f599c54dff91f1
humanhash: mars-october-august-winter
File name:0ea00cd19382a471a5f599c54dff91f1
Download: download sample
Signature Formbook
Create hunting rule
File size:671'744 bytes
First seen:2023-10-18 16:33:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'455 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:x+DJ92ISrBKeGo7UymguRDmw9lxUeyqfbsuaHOmhe4LM7J9:s/sBuiUymguRDBb5bXaumhPQ7J
Threatray 33 similar samples on MalwareBazaar
TLSH T1C5E423187ADD6362E2378FFC987440081FB9E6713650DE2E18D8B5ED852970EA112FE7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653008fc10dbe5fb92cde3c8/reports/6d70ba20-6dda-40c1-8158-30e033b9f7b5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2e7aa850-41d6-4c6c-ac5b-aafe02f2f69c
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328207
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 21:22:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4cvkhen3wazmzno6uj6yrgu6dj7sbp6twhmubpc26cxmbxrgl2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
009db41ad28b09fb48d62e80d806db54b28ecefe0e5ef4478a4f52b081dbc9f5
Formbook
050f0fbbc19c40f149db0911f66129612e699e934681c2f3cffe5d27c2381e1c
Formbook
0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2
Formbook
3668bfda289003db294d1a1cd542ae1779810daab317fbed4165c1b422f20c31
Formbook
47ac55851c62e30f0553a5d32f2b6a128f532b9904fbf5e100b53895ec8a86ca
Formbook
4aab06d62b7be6864a2844428af16f335fee3713ef63ebf637540275f40ffd3e
Formbook
9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380
Formbook
bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9
Formbook
d79a768e106b5c09d20e48704aeb15f5accea32c5e05d1693ff26f0d3a45374d
Formbook
e3a38aeddcd6a3526af9adc0778d9c329cacbd2792969ca56556634609170207
Formbook
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231018-t2368ahg23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b56e7985e277f91e730be6adf33925b7ff58a8560f3f77b39fa31ddb7cc84c9a
MD5 hash:
bd6f83190da1b0fc5b08c87984e890a4
SHA1 hash:
9939d13447ad13b10ccc31462ce52deff8afb832
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
0670b06c7190165b6f408a900770e071df5bb659135406cf018f90e5c040d524
MD5 hash:
cfc77fddfd7a27880db51f6e7b45cfd1
SHA1 hash:
7648ca230e2802c8f6d0ddfa7d4a07e792ea1845
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
de59c3246c72163cfc5d3b5a8aec72ec6a585893a6c7d80fbff35238aabe6027
MD5 hash:
c3b2bcacf04baacd6daae4cf4896872c
SHA1 hash:
b7815d4d77ea49e493898d9ce06061e2c9c83feb
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
8a0aec18b2c0e693871328199a19f6431e8f59a594240e026e733093ff9a7eea
MD5 hash:
e726e805b3396fcc193c5b75153798c9
SHA1 hash:
691c3b9bac12d15888ebef579bb937c119036d8b
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43
MD5 hash:
3ac67cb9041168e636198401f53d857b
SHA1 hash:
6207398f41db994130c80150a0c2598045e68b45
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
SH256 hash:
8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4
MD5 hash:
0ea00cd19382a471a5f599c54dff91f1
SHA1 hash:
7c0a254a2a2db4dd9dbff900fe59837ac43b0535
Link:
https://www.unpac.me/results/ed96d6f3-33cb-4854-9350-07f7289792d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2721993/

Comments


Avatar
zbet commented on 2023-10-18 16:33:57 UTC

url : hxxp://107.172.31.18/4d4/audiodgse.exe