MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2
SHA3-384 hash: 8bbf3d45248a11780b915c8353bd78c4a381fe1070f86af910b018b2a1fd9b5e5c46efed1d1beb40ece0c0caab476284
SHA1 hash: 2660c13bb4af22fe8d7ed41a4dfa748de99c07e0
MD5 hash: d191dc8af5b2eb9a211f94c1c3cb812e
humanhash: alaska-kilo-ink-potato
File name:AWB...exe
Download: download sample
Signature Formbook
Create hunting rule
File size:534'424 bytes
First seen:2023-12-19 14:50:15 UTC
Last seen:2023-12-19 16:16:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:p1oSb+Fwr5tcclp3QqZfxVwgRITM9gdgb+pRr:1+F456clVQ4fvRIIadgbsl
Threatray 12 similar samples on MalwareBazaar
TLSH T1A0B48B4C26BA7A55F5A5B7B3A7930200D771AC2B24EBC1099C81F5F9553274A0B83ECF
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Microsoft Cooperation 2023
Issuer:Microsoft Cooperation 2023
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-19T09:10:17Z
Valid to:2024-12-19T09:10:17Z
Serial number: 31d56a5e536ca1789fac5b1a7be9060b
Thumbprint Algorithm:SHA256
Thumbprint: 18be3da353bba460b64e2bf454e113c5dda14b6958d0178f6adb3bcceb8436a9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468504/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16839.24029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/6581addaf4b6e5e163508674/reports/b0e1a36d-7241-4326-bd6a-9116ca7fbb0c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/736807bb-b7bf-4fdb-a28d-35eff1857949
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364574
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364574 Sample: AWB...exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 26 www.ultima-markets.info 2->26 28 www.sugargz.com 2->28 30 14 other IPs or domains 2->30 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 10 AWB...exe 3 2->10         started        signatures3 process4 signatures5 54 Writes to foreign memory regions 10->54 56 Allocates memory in foreign processes 10->56 58 Injects a PE file into a foreign processes 10->58 13 calc.exe 10->13         started        process6 signatures7 60 Maps a DLL or memory area into another process 13->60 16 kLnuzCzHhhYbgaHlKJiqvS.exe 13->16 injected process8 process9 18 certutil.exe 13 16->18         started        signatures10 38 System process connects to network (likely due to code injection or exploit) 18->38 40 Tries to steal Mail credentials (via file / registry access) 18->40 42 Tries to harvest and steal browser information (history, passwords, etc) 18->42 44 4 other signatures 18->44 21 kLnuzCzHhhYbgaHlKJiqvS.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 www.betaplex.click 172.232.128.154, 49755, 49756, 80 AKAMAI-ASN1EU United States 21->32 34 www.uzonedich.com 103.48.135.8, 49765, 49766, 49767 XIAOZHIYUN1-AS-APICIDCNETWORKUS Hong Kong 21->34 36 9 other IPs or domains 21->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 09:35:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfwroehko2z5psjsmhhg3jcqxqiqiftaf3qajte3cffrcslnwtza._file
Verdict:
malicious
Similar samples:
0045fed5ccd3160d994bcf092af98d0e24e26fe1a05ab3a126881e032d1f938f
Formbook
0a05f095a607b11fec6ad7e90f87cbb51d41b3b2911c54630e819c84ab6900b7
Formbook
220be96884f744741958b96b4eb85d3b23637f457a71e836190b9b4546e45574
Formbook
69b893ef6bcb3a609339321a763b2044962b5330856c73a38a9651905cccd836
Formbook
c2204454facf5a10af80ecbdfd133ab7625fb82bd7ec49ee4d1ee095314b375b
Formbook
dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83
Formbook
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231219-r75wwshahl/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
cb4b6143023fdd3ac08dfdfe65c08753be5f0e6141ec212df19ed2758926668e
MD5 hash:
1530e18ddcccd399e02bc215e6c770cb
SHA1 hash:
f42db8bd08d2c9b151ab623aee899b8daf2b9e6c
Link:
https://www.unpac.me/results/96b12e9e-876f-4697-8c33-1cbd98673c9c/
SH256 hash:
916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2
MD5 hash:
d191dc8af5b2eb9a211f94c1c3cb812e
SHA1 hash:
2660c13bb4af22fe8d7ed41a4dfa748de99c07e0
Link:
https://www.unpac.me/results/96b12e9e-876f-4697-8c33-1cbd98673c9c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/916d1710ea76/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 916d1710ea76b3d7c93261ce6da450bc110416602ee004cc9b114b11496db4f2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468504/

Comments