MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b
SHA3-384 hash:	cf2ee49330f1db50a27c0b51313b54387aba4e1ce975e683aceee37f31baae0bf7b4b2d3308419d48804cfe70b3f401c
SHA1 hash:	45e872762be5fac97045b587cc07cbe4e0257e54
MD5 hash:	50b0d9737dc312da6aa3dd03da0daebe
humanhash:	fruit-vermont-december-bulldog
File name:	Confirm!!.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'117'696 bytes
First seen:	2022-12-10 08:35:41 UTC
Last seen:	2022-12-16 15:00:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:ufEdhonqyN+89J/tVwXXND9sGkDRjeLpFJ:nyqyIY0NRUy5
TLSH	T1D1354A8967B2A06FF48B7261A4183E9DCC307D673247E29677733B0292D49FFA665043
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	6dd2d312dbc8cc49 (94 x Formbook, 5 x AgentTesla)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/344906/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.21392.5516.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/639444f79a505ad9423eab6b/reports/dafb4362-17bc-4334-944e-0e88c98ff3cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9a63d70-0501-49fb-b414-df4e3a284114

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1131841

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-12-09 19:35:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r7tgalipjuvb25ey73mee23yo4ipyo7xxtosguvzd3ods4tcmivq._file

Verdict:

malicious

Label(s):

formbook

cobaltstrike

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:he2a rat spyware stealer trojan

Link:

https://tria.ge/reports/221210-khk2vsfb79/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/84025df6-a942-4c15-8c12-9e34bad35fd3

Unpacked files

SH256 hash:

3a5850135a42675ec97cf29b01e8a7204d23b031fd10e15d03d99c6ff9fe14e6

MD5 hash:

c198b0eff5b8176b80b5afa2341d1935

SHA1 hash:

f1507ae0bd68215945325e2386b75b8787482ee9

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

Parent samples :

8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b
b240bad854a6a303cb4c10f6fa8629a79727b9d606668e9e62273a98b664fe40
36bbf8364dce4ca87034ac5be0a11cb79d0ec00b703e14f7a6b3f83cc5b66beb
c470e4b00af7989d546bcc74d51f93920ad6b17c097eb8fdece7f701d68ae052
d7147ff4c83891f4338af09c1c6cb2f7fd00dfbf3753bce7024627b72fce78eb
c104d364eec79cad7a9c9040ff30d46e6b2bf694b3c8f80130bb599345fc3d76
296abb33b7337fa594b7a28aaa0793ff1e7218b97974fe1764a0773f8962fbdd
45043a002e8f3d458e3dbde726fc373528fc485ba829b9b02b5826eb63069e3c
e05dd4fdf0071a4108eac210a9eeae5c2bfa44d80dc8eac941f4e4a0d1fc0aa1
b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f
ae06162a5d6deb6cb98b2c2f0d1f5e1c8427f15d271e90654d47520833d3f106
ce4538d962580d2b52a8cb68aefb500eaee8f07dd01c1fae3b50b4a40585131a
16c87c0de9538e8cac5d187949b3fe9b1a11ee1ed2bcdcc726ea47115d6701e1
9e392cb448daf1882dac5f6fbc0d736c76bed78befee2c8b513241b8ed6a95a0
71780af43512c9499d7388e6c3e04b3e667bdbd49e0defb6a458126be2cedde6
e40bff3bb093b2bdc11d7e1d5a990db99b3a914dc74a1aec2d28662da10cde9b
041e8def9ed010055a5b366d501d80f49601e6c8650470c7163addb52a45e634
43b5cfd70c439d116d7ec6381d664d5c8e7f89f84eb4186675db11bf830ebabb
154da40b848da265e6339dc5773113f75d1b7922b1273a9e6ee6782e33b6b6e4
5beccb2435d3933d532afbe6c4f432dc6329c280c0d9fa8a849dcd797d542cc9
10f995960aa806c718494876517cb801027ea00e3110e9b754b1ac039a0f696b
05d10f03be1265543cb1dd13bd493f52de93c6ccceef98fc3ad9f2cd55930ca0
ec0778be2b035c23fb64b29a0b1480ab8e11e6bec3ddc1f6f94dab39e35fa4fb
14ac214aee66557d77577da7211f5fa6476753b38ff8b40738c660a88c8ffd35
66e61b3996bf7efd0024f9dc73bd4e9d180b1347dd10e2b9a985eefde8cbb250
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
48bd774210f381b63ba719ff062f5000c3e1ed8648f5df60530b2e65d5447c01
eb9bb2864bcf714084d8b6c2d9dbcf55a30727c8e87d66eef592048dab10dead
0361bde7da9104b4a09db39ac90c1af16e0aa137f4f33c57c9844066ce7c6d7a
9a2008be914863b763da0fec53a39e995cae4bb95a03aeb634c95ba7a6943522
7af9cc5b2aade862d245026c370d0d4fd4d375426cd26357abba3ddb4c8a9824
4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e
5e1d953a310fff548296b75e81092f5f360c146f02c45627fed82a8e85e8582a
64fdde31e18afd348c0727affafb347f0cd0203ec20268fbea9dcb4cc6d1caa9
d1fdb78142a09be2db38f3e704f9cc96649745d1055eef07a702ed674cb4b9ed
f9a4e3002fdbcd93464f38fc49bebadbcc0417454c702e8298cf245fc751eee9
f797e394559b216d6a6fbd4ef0ab89291e495fe1b5aad152b50fbe5874b21f58
9963577e3c04d62e4f22f861f0c7a51b9f297847125e271024c6f138a37b08f7
bb8548a744cd648172b769babfe7fb42aec25bc35e812f491af41d31c4c92d13
b46aa459568e452fd54cfc23308ec8f18affb47fa20a5813ac307ae05562a099
82dc16435a574994fdc6844c28c6293c8b6753eb651ce4faa5a002ad83914123
85f953d72889a0c7dd1908d932854ce5999e6bf65feb103e611cf20e05f353fa
b7b13f7292e1c908ad3d37dcc096ae01582efa6f1d91893a78bd0f84b283b148
779602a8ec3577cf114c41704c9fe2b90130da2dc331c4bc2cc5a0082ebacfd6
0322ac069d3777358bf3ccb0af596a20dcaa1d0888dcea9e043dd969eae4bc3a
1e6327a5456f3aac77ec28cc80c9f9f8cff8a157a25a8a2f597764dcbccce3ea
9df6347fd6d4c18024e5330a6d05ab03d7f85f7aa70d7f083bf80f764852a367
56a918e62959cb549a2dba171a6aa849434cb4052fcea42f10a85fefde442b11
7cf52f2f8e215fddb4ccf366bcba1dbd374745a86e45613522461a3a71ade4fe
64d39c5ca1acfee70e9e783ae33212a0f271ba323077a7c2b0a135706e3e37c0
2a0883f81fa813b247ae1243050bc720926599286a213725a86a50ced42c0ead
5dd4c27314890b2dce6f382d1e7211938c08fe622d120f98924db0b5396dc80d
5931b9bb54cd619e0e0518c4e61654a3c154b59e72428698ea3f381cabaad213
ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
a4e15cb73ccfc8ff3119326251deca62b7618cf21c6554eb3edd9aaca2d222f1
7145bd1637fdc8111b86d7586c07526d2c9db8f4e2f30d99ea9740feecfd3d2a
d734447cac7e7f4656b9eeae3a3afbbbdb5de5383a086258e8c2bbd60af69489
f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926
595c20f94db2ba132681d1b669ddd21a561f50a5afd4df0925fe8fd2d988f3c6
9c051c1f0938d57caab88ddf7c68456838889f84907436aa6dbf50b1e35ea6ab
5f1da6912a7c832726ad587d5b8cc3480e931d1f7997603a0a391b422b1013fd
c365a6886581c5afdc2bba03f6b8dd4af723c570002d359af8cafa1c145e4adb
4c8efb2c7d2516b6253a3008e5f4dd5a0efb6b9752c76642491d9f6bfd9df6d9
c8bbde20a022606bed6b8b1fa2ee04d67f797e9f0db2b2ca76521a16f56b267a
2d8467103cc2a2c613c8b04a174839f339c793f2a4b05f872c538e06d5e89a78
2d450cf09b7158d5036e1e8572f9b0327d70670f0238ff963cad00aeb9020625
5cffcbea55270dc431c4838acdfd6f2a12b7b3e7671674816fc717653abe577c
9038c3bbcd0f0ec3a2dac2581ddd2eb0cd178cb4bf307562cce6f5fbf21772ae
f7f15a2841957be3bf2831fa44dfcd0125a68f1a36db209bfc17fee0a6d77b22
c4228dc6ce27a3999eb9319d40699625d8e003da61d9a4f274584248a0535548
1d85b0167afe65046fa652f0004736612fe1255ebd233745e94a01451c57f190
f4f30e7141908e117623dcac4e9f98cee8287fab750a1d720bdba5350cad19c9
81af3372de9de0b722517247542598548c0c6745448d247f3a99da73e4d635c7
c91554dc0140d85cd8b7375c44f322bfb86594d508b49133f4aa2059316b6ebd
59bc08231420c0f5ca032178b6654aedde4825136fd3e65c71e4bfb10127992f
7d0c488d900c633cfac5914cc35d1a31d3549710db2c9ce1612ae94ecf106dcc

SH256 hash:

0f287ddee0322cb5528017ba44b7d6cb4816b255846e4d755b2c5bce81b58599

MD5 hash:

3e5c1807dd2046aacb5bd101527d3104

SHA1 hash:

6cbd0335cb98aa50b24985e785ef138ef0e59c13

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

SH256 hash:

922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50

MD5 hash:

1ecb63625d636b0b8f8ebdece9fa80c3

SHA1 hash:

5623d5ad21fc63893011bae7e4709c51219fcc1c

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

SH256 hash:

65de862e8e561c0335b1cb48f7d91efb3b9bdb6841d640450749cf471a02c407

MD5 hash:

6ac5c79f692ea266012c0b35d4b116c2

SHA1 hash:

2eec4df99031e7635a1cc1f8e2e09dc5545aeabb

Detections:

FormBook

win_formbook_g0

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

SH256 hash:

8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b

MD5 hash:

50b0d9737dc312da6aa3dd03da0daebe

SHA1 hash:

45e872762be5fac97045b587cc07cbe4e0257e54

Link:

https://www.unpac.me/results/2167959c-d717-4acd-8dbf-395071926a46/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8fe6602d0f4d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/8fe6602d0f4d2a1d7498fed8426b787710fc3bf7bcdd2352b91edc397262622b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344906/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample