MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 16
| SHA256 hash: | 913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce |
|---|---|
| SHA3-384 hash: | f87c3bcf8f7d9d30387b2dc43f5d8604d2e1be92f6331e9bf75bc2208b2f52fa7ff5a12f740164f21b8113fe702d3b26 |
| SHA1 hash: | 4bb89851167ee6a2ac32193a33bfafa731de1bfc |
| MD5 hash: | 6ed7fdb62d95c081a373620f6d0ae7b1 |
| humanhash: | november-kentucky-comet-grey |
| File name: | 913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce |
| Download: | download sample |
| Signature | Formbook |
| File size: | 684'032 bytes |
| First seen: | 2023-07-07 09:36:05 UTC |
| Last seen: | 2023-07-07 10:39:00 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:5z1pdvDhH62MmgPF6DNVBDUT3qBkuHYgvho3vlQcHqx8XtLs27A1fiOr:hdvDcAwwDNTDS3JWst/q |
| Threatray | 3'409 similar samples on MalwareBazaar |
| TLSH | T1A1E4128473BA4323D6F383F64150227113BB6D897472D3AE8EC370D61A9AF465631E9B |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  adrian__luca |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
2
# of downloads :
262
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
Verdict:
No threats detected
Analysis date:
2023-07-07 09:38:13 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Detection:
formbook
Threat name:
ByteCode-MSIL.Trojan.Taskun
Status:
Malicious
First seen:
2023-06-21 09:13:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
14 of 24 (58.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 3'399 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:gg04 rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
SH256 hash:
1671d8684b52c1af29128f816219687c909472a7131a1aaaf492b93bed1d9822
MD5 hash:
b02988cac49f777bb6aeea0a036e13d5
SHA1 hash:
3780777d25119f90eb9345306406ac17b910173c
SH256 hash:
e952493f9c1dc5bb85a120b470a1ca68fed1e9fae0a19f38bec62b1894d1004d
MD5 hash:
7b2503568d973590db783d519c089f23
SHA1 hash:
33aefa7a26e927f8e73f70216a32cb4a49d45d57
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
SH256 hash:
1671d8684b52c1af29128f816219687c909472a7131a1aaaf492b93bed1d9822
MD5 hash:
b02988cac49f777bb6aeea0a036e13d5
SHA1 hash:
3780777d25119f90eb9345306406ac17b910173c
SH256 hash:
e952493f9c1dc5bb85a120b470a1ca68fed1e9fae0a19f38bec62b1894d1004d
MD5 hash:
7b2503568d973590db783d519c089f23
SHA1 hash:
33aefa7a26e927f8e73f70216a32cb4a49d45d57
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
SH256 hash:
1671d8684b52c1af29128f816219687c909472a7131a1aaaf492b93bed1d9822
MD5 hash:
b02988cac49f777bb6aeea0a036e13d5
SHA1 hash:
3780777d25119f90eb9345306406ac17b910173c
SH256 hash:
e952493f9c1dc5bb85a120b470a1ca68fed1e9fae0a19f38bec62b1894d1004d
MD5 hash:
7b2503568d973590db783d519c089f23
SHA1 hash:
33aefa7a26e927f8e73f70216a32cb4a49d45d57
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
SH256 hash:
f0c89477d579cf7dcb360eb8f30c168d46aba7b07a6dbec7296ccad60cfa5927
MD5 hash:
398ec82c3e278a425b2efc5c6c8a76ed
SHA1 hash:
416c6cd08e4076efab6f8b5e83679e5204a9d934
Detections:
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
FormBook
win_formbook_w0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
625f5caa0e4422a01de12f875b7acf8c4edb699f36a7237c18bf3df7772a7e6c
3bcc7e2a22fd283ad188e24bd4dd4cc6180f2fc907de59cc3c952b89507bfed0
6c3de47dade4aecab32720941195ae5fd0c275f66358c05cb01162fc8c0189b3
f94f83d21d367554ddd900c8d8e11a93330e951cfb04ea40c0d8ac5b326cf9b2
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
SH256 hash:
1671d8684b52c1af29128f816219687c909472a7131a1aaaf492b93bed1d9822
MD5 hash:
b02988cac49f777bb6aeea0a036e13d5
SHA1 hash:
3780777d25119f90eb9345306406ac17b910173c
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
SH256 hash:
e952493f9c1dc5bb85a120b470a1ca68fed1e9fae0a19f38bec62b1894d1004d
MD5 hash:
7b2503568d973590db783d519c089f23
SHA1 hash:
33aefa7a26e927f8e73f70216a32cb4a49d45d57
SH256 hash:
1671d8684b52c1af29128f816219687c909472a7131a1aaaf492b93bed1d9822
MD5 hash:
b02988cac49f777bb6aeea0a036e13d5
SHA1 hash:
3780777d25119f90eb9345306406ac17b910173c
SH256 hash:
e952493f9c1dc5bb85a120b470a1ca68fed1e9fae0a19f38bec62b1894d1004d
MD5 hash:
7b2503568d973590db783d519c089f23
SHA1 hash:
33aefa7a26e927f8e73f70216a32cb4a49d45d57
SH256 hash:
913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce
MD5 hash:
6ed7fdb62d95c081a373620f6d0ae7b1
SHA1 hash:
4bb89851167ee6a2ac32193a33bfafa731de1bfc
Malware family:
FormBook
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.