MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9
SHA3-384 hash: e939f687f8422dc76c23aefbc83539364da4275f63cf54a358bfa9e11725b01d582931d49d123d24c867f7c087565c8d
SHA1 hash: e3dfa3816a4b4fa3c4e7146953f1cc7debb84be8
MD5 hash: 7bfc6728400d041f90f6dd5b3f67aa38
humanhash: skylark-single-whiskey-pennsylvania
File name:4TH HIRE SOA REMITTANCE_USD280,000.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:694'272 bytes
First seen:2024-05-27 10:17:17 UTC
Last seen:2024-06-03 09:49:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:QuzrYCFd6x0NOG61NSeL/wbnTzOELvg4vMtlLEMlaUrC3WPhp3LVZ0VXZGnNGa:N81x0NOG6TSsYbTfPmEMdeEhJpiVpGn/
TLSH T10EE423803569DB61CA7723F94490995003F2DE05949EE24A1CD332FAA7B6F06EFB3647
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 205cb064d8d4d408 (10 x Formbook, 4 x AgentTesla, 2 x Loki)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9.exe
Verdict:
Malicious activity
Analysis date:
2024-05-27 10:38:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e92c7adf-b8a6-4d5f-b4a3-03ccab7e0bec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66545e00121317197511fd36win7simulatehigh_evasion
Tags:
Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66545de144f31172b37dff89/reports/85c6f25d-18b3-4432-8098-51642d39bf7b/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2660d413-2399-4a8f-98ac-e43744e1cac5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447924
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Process Parents
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447924 Sample: 4TH HIRE SOA REMITTANCE_USD... Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 55 www.tranivel.com 2->55 57 www.retrorocketmodels.com 2->57 59 21 other IPs or domains 2->59 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 11 other signatures 2->77 10 4TH HIRE SOA REMITTANCE_USD280,000.exe 7 2->10         started        14 GRogNEHvcL.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...behaviorgraphRogNEHvcL.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmp16FF.tmp, XML 10->53 dropped 87 Adds a directory exclusion to Windows Defender 10->87 89 Injects a PE file into a foreign processes 10->89 16 4TH HIRE SOA REMITTANCE_USD280,000.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        91 Multi AV Scanner detection for dropped file 14->91 93 Machine Learning detection for dropped file 14->93 25 schtasks.exe 1 14->25         started        27 GRogNEHvcL.exe 14->27         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 16->67 29 vFRZZQiLgeOQDzGymvZVa.exe 16->29 injected 69 Loading BitLocker PowerShell Module 19->69 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 95 Found direct / indirect Syscall (likely to bypass EDR) 29->95 42 winver.exe 13 29->42         started        process11 signatures12 79 Tries to steal Mail credentials (via file / registry access) 42->79 81 Tries to harvest and steal browser information (history, passwords, etc) 42->81 83 Modifies the context of a thread in another process (thread injection) 42->83 85 2 other signatures 42->85 45 vFRZZQiLgeOQDzGymvZVa.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 61 www.diplocity.org 78.142.211.199, 49732, 49733, 49734 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 45->61 63 newmediamonday.com 173.254.28.213, 49752, 49753, 49754 UNIFIEDLAYER-AS-1US United States 45->63 65 11 other IPs or domains 45->65 97 Found direct / indirect Syscall (likely to bypass EDR) 45->97 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 05:04:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slxvs3talf7monaakqgoqgialngqzizxc2xj6ajjkr5rdfav4hmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240527-mbyqgshb58/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
df475556d7355c545e794fed0fd1091071658ac39a4afc6e15dd7db03b61c67f
MD5 hash:
5feadc29d42e837ab92fec56019cda96
SHA1 hash:
1269e83b50b76141e4bea6ff85273c9e5d6c2fe8
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
2acb40215efa7c9ec35509e466799dc07a943c5a25a02732a47c87cc17358b8f
MD5 hash:
3022b9c07a7675854f8c31bc06b85904
SHA1 hash:
679ac736d8af9b820fc0b804518acf854aebe632
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
392286a40c5c9ee36326a6bf728e6d7e7543ab1fe29fc3d790ffc1f6b919103a
MD5 hash:
69db12ca748ba9490f90af633b21ba30
SHA1 hash:
b2bd5fcc7ef89e4d9ee37d81073462bdeff14f01
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
aae920669816646b4e0ac4a604482bd7803cad33aa31eb39b0e5661900b97df9
MD5 hash:
6ee07543aa79d4a0387c5167aab308dd
SHA1 hash:
c2af6c73d3bbe9232a18143c93f69a23ac07b068
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
629d47a2785cc0e7d40f8a0b73dd45b6187e5b78926b743db757e5b2508f3e2f
MD5 hash:
99b3119d8b15c6e8e3399284e41b3e13
SHA1 hash:
bfb5d1cc626cdef4f69f0d4b46fc4168ddf444fd
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
8769d8d70183b1ebb6c15b35d5a7607cbc2c84fd9cb2025772466739ebe5bc37
MD5 hash:
8094535fce3025caa360e2c6271523a9
SHA1 hash:
29164f716f124bee0b4b136065bc0309d963f013
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
d0b051e01d3e6793d5ef0321772bded697ccbc5cecf3598e42911673a41c2a95
MD5 hash:
7fb2d17ab276a5ed2c757d8d975b4f6f
SHA1 hash:
fb2764343c108896a2bb98d676eb2aff8a53ccb5
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
acae0bc738834a477d6a862677390b82560dc0d5aa17277a24e7722e6bbf4b10
MD5 hash:
b01ed5d7004da0f3ffced2609d096b9e
SHA1 hash:
d6a6dcbfa71b623536fce3354d44d0e7a712d7f1
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
3ac395b6c39280663817bbc6f3ff9555113a0d07092167a1899b840cc7711fd2
MD5 hash:
b26cec21bcebd3ed6ef7dab64e06f0dd
SHA1 hash:
b31267d93756a4a15c866919701413cbe695f1b2
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
d9ec52c87e87da0e859c2c7ee4bd060b9089c25867cdb9c82b7f1c5bf130cbfc
MD5 hash:
16644844da15c5026e5c02960b944ac8
SHA1 hash:
8d74e4247cec2c7c4ea200141d625105c3858c0f
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
c121199dda3e671c2bbc91230deaf291d3a3358c3ef7c962a0a9a322ef1baaa5
MD5 hash:
54cd9cab6f8536634f978279b5e4f9ac
SHA1 hash:
7c7d94d457363ee0e0e0247b19383e5552731b26
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
1d5c048b5b7c4368ba3beb315d2242b11f1229495047b9f74c3b74eedf0f553a
MD5 hash:
75241a23ab066e93e2fc5e4b7f244875
SHA1 hash:
2d483f67ad38a95ae715c86897115266c4c00092
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
8a3cbe2e0f85f97d8ab05bd028ecb328e455cb0295af475d5397335418c96386
MD5 hash:
e279ea542a2e5b6345f447e6bcfe7160
SHA1 hash:
abca1f5d81b9d2833338aa05e3555337c1ed05f5
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
SH256 hash:
92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9
MD5 hash:
7bfc6728400d041f90f6dd5b3f67aa38
SHA1 hash:
e3dfa3816a4b4fa3c4e7146953f1cc7debb84be8
Link:
https://www.unpac.me/results/7c42e6cf-f99f-464c-a634-dd3bb6a9c334/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92ef596e6059/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 92ef596e60597ec73400540ce819005b4d0ca33716ae9f0129547b119415e1d9

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments