MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
SHA3-384 hash: 6a9d7a6144cbf3057d0188c26e0cd24e8db7a7a1b6c9de5b8e1a9b11f5e865e74adf9c85b9a0584f2e65a2eea26b5f0d
SHA1 hash: f40747dd6f9bd62751bc2b9734dd5bbe8e92723a
MD5 hash: a6718dd552a34001f40ced365b16d1ee
humanhash: angel-steak-leopard-hawaii
File name:SecuriteInfo.com.Win32.PWSX-gen.24957.8148
Download: download sample
Signature Formbook
Create hunting rule
File size:790'016 bytes
First seen:2023-04-26 18:29:39 UTC
Last seen:2023-05-13 22:57:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RblmTdKCcfCQtVKr2hXFn+8WnTN77B2qjsH0y:xlmAdE291+86d
Threatray 2'748 similar samples on MalwareBazaar
TLSH T143F4F43C28BD1627C579D7E58FD08427B664986B7121EE68ACC793E60306F1269C363F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.24957.8148
Verdict:
Malicious activity
Analysis date:
2023-04-26 18:31:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82aff8f0-1af1-445a-82e3-7287c6423f62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385107/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64496daa0bac81e8385a37d8/reports/a43cf592-8851-49e9-8c14-3ab10e05d21f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f860b2bd-3279-44c5-a228-8b01113b242e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221794
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854743 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 6 other signatures 2->72 10 WBJIjC.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.24957.8148.exe 7 2->13         started        process3 file4 80 Multi AV Scanner detection for dropped file 10->80 82 Machine Learning detection for dropped file 10->82 84 Tries to detect virtualization through RDTSC time measurements 10->84 16 WBJIjC.exe 10->16         started        19 schtasks.exe 1 10->19         started        44 C:\Users\user\AppData\Roaming\WBJIjC.exe, PE32 13->44 dropped 46 C:\Users\user\...\WBJIjC.exe:Zone.Identifier, ASCII 13->46 dropped 48 C:\Users\user\AppData\Local\...\tmp5EE0.tmp, XML 13->48 dropped 50 SecuriteInfo.com.W....24957.8148.exe.log, ASCII 13->50 dropped 86 Uses schtasks.exe or at.exe to add and modify task schedules 13->86 88 Adds a directory exclusion to Windows Defender 13->88 21 powershell.exe 21 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.24957.8148.exe 13->25         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 Queues an APC in another process (thread injection) 16->64 27 explorer.exe 2 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        process8 dnsIp9 52 www.searo.co.uk 213.171.195.105, 49698, 80 ONEANDONE-ASBrauerstrasse48DE United Kingdom 27->52 54 www.expresspestcontrol.net 192.64.119.26, 49696, 80 NAMECHEAP-NETUS United States 27->54 56 2 other IPs or domains 27->56 90 System process connects to network (likely due to code injection or exploit) 27->90 37 help.exe 27->37         started        signatures10 process11 signatures12 74 Modifies the context of a thread in another process (thread injection) 37->74 76 Maps a DLL or memory area into another process 37->76 78 Tries to detect virtualization through RDTSC time measurements 37->78 40 cmd.exe 1 37->40         started        process13 process14 42 conhost.exe 40->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 18:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5q72xhdyl5jdbwhlzydz2pdrvtfhc474iqu3v4nfx2mfr6l3inq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
Formbook
2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
Formbook
319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face
Formbook
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
Formbook
455357f9a8164dcc16dc461cb81c48bf0215d871152c7b6e1577944a4b6b6edf
Formbook
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
Formbook
cbdac32d6f43a1f03a26cc2fcc6ea13586f0d7f85764c1626cc71ce30bc0434b
Formbook
d40024a841668b3cb64cb894613ee64fb37288125d32ca3068007f70db30f1ed
Formbook
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
Formbook
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
Formbook
+ 2'738 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o17i rat spyware stealer trojan
Link:
https://tria.ge/reports/230426-w5fw7sda2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
ab3036f19998adea73263a39874391e8047cd2369ca062ef90326c7b46cdf069
MD5 hash:
d7fd54c77e6dc3ddcb7f0f442ec9f2d5
SHA1 hash:
b37657214b8a5fc14ff8e15722cdb6b86da1bd72
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
Parent samples :
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
7e17d20032413cfa6dc32271e7a386b32a4cc79744171f9f2d9b895444c5e110
72ab6b20fff5f1384506c7a3943c3c8f9d3ce2ecc79197f0ad8274ae1a2150fd
a530b6b2224f5b81914f4e439b135a06e761d6587e1ea76eb069c7c51c3ca50d
cc9fd84fffa1811ef3177586d7c6aee88dc4dc5412fd658ee4bb36ff934eec01
338bce8dae0d4fe01a719210414e31861456fd8584853636e775ac4e1c83b453
fc52523013f9198bf95daa7b6f6a597b518273b54c50635784deee1e3c9dd991
cd94bb8956e12aa67943b6bb657f17d2680b848b36f8726283a2037d1d588461
0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7
baf6e6d6d8347f5151d3c260ca4d72694f5339b558294409cb7c4871616d8188
ebaa46d302bc220922a76189a85e48f24587ccab47f674d37b02cf4e605c4755
SH256 hash:
7b018d831e5a135868fc7e507c2e4360b7fb5890554e689a7817759528a29b85
MD5 hash:
a4ef8d0a55cbfe334ef8e92dfa18d8ca
SHA1 hash:
b22515298982a3bc17a127e49a4f7afd5b8e69fa
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
SH256 hash:
58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8
MD5 hash:
3a6ac846fbf56df68c3cb61cd18c7623
SHA1 hash:
e5b7f4e47b357f330b33330663ff5739a02d442f
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
SH256 hash:
5779e02b2dc1d0286c4a3313660e6973c0d7644adbf92de7f8dd405855429796
MD5 hash:
bac3d79052ecad761f631179ecf46cdf
SHA1 hash:
312da0d3bafc01bc58ae2b0abcdb93098417ec2c
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
SH256 hash:
80b2347e80b1e4763fff564144aab01c6ed432aa15aa65ded0a068a6d8503bcb
MD5 hash:
b022c3dfced1887a5632412ff9b16fe2
SHA1 hash:
02e487f5febf3a98b45a11ccbd5fda72507ad8be
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
SH256 hash:
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
MD5 hash:
a6718dd552a34001f40ced365b16d1ee
SHA1 hash:
f40747dd6f9bd62751bc2b9734dd5bbe8e92723a
Link:
https://www.unpac.me/results/ca70b0f3-b076-4637-8ca5-150d3ef49a5f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f61fd5ce3c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/385107/

Comments