MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c
SHA3-384 hash: 30e2f6baf9b8472d6c0c3a707b3f8d345aecb3d656d1e6d99136f3a2ffb9d4a0958cd26bf85dcc76c3c77c9d455d89dd
SHA1 hash: beca9d53430f99bdab16d443975f86c5cee3189c
MD5 hash: 47ec48348daf4b7108c7c391c73b8620
humanhash: lion-potato-ceiling-alanine
File name:S0A.doc
Download: download sample
Signature Formbook
Create hunting rule
File size:621'056 bytes
First seen:2023-04-06 06:58:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:+r+FoGnBcx3aNCJwfFNOUU5ql0alUZJsNfzJTXEOVyP:+KoSa3asmf5U5oAHsNdrT0P
Threatray 2'545 similar samples on MalwareBazaar
TLSH T1A8D4120A7E599725C6B453F9C883360103B4FA6A968BF74A1CC665FA5FC374C8D22E43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:doc exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
S0A.doc
Verdict:
Malicious activity
Analysis date:
2023-04-06 06:59:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89616048-48f7-4987-aad6-b79ea5f27a4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380554/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642e6db9e4cbfcf36c5ffcb9/reports/335dbe1b-53cd-4aa6-9874-679a19205979/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a328606-9c3f-48fd-a5a8-3a0f865e10af
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209457
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 842374 Sample: S0A.doc.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 32 www.vkstm.store 2->32 34 www.texasgent.com 2->34 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 5 other signatures 2->44 9 S0A.doc.exe 3 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\S0A.doc.exe.log, ASCII 9->24 dropped 12 S0A.doc.exe 9->12         started        15 conhost.exe 9->15         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Sample uses process hollowing technique 12->58 60 Queues an APC in another process (thread injection) 12->60 17 explorer.exe 2 6 12->17 injected process8 dnsIp9 26 www.star-house.okinawa 183.181.84.3, 49715, 49716, 80 VECTANTARTERIANetworksCorporationJP Japan 17->26 28 www.elladeehiggins.com 216.40.34.41, 49701, 49702, 80 TUCOWSCA Canada 17->28 30 9 other IPs or domains 17->30 36 System process connects to network (likely due to code injection or exploit) 17->36 21 wscript.exe 13 17->21         started        signatures10 process11 signatures12 46 Tries to steal Mail credentials (via file / registry access) 21->46 48 Tries to harvest and steal browser information (history, passwords, etc) 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 09:29:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sl4kccwgfg6oqb3du47dmljsmyjz6q3hs4f7z3ftjnob7cbpei6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00330ca48a13a195fb80bcaba66fee393bba1821b65bd89cc1349687a99cfa55
Formbook
341db7699f4f2349d2cec4a85f09a899b322268b811d722aa9da9e035c0db874
Formbook
50e39da793e84dc45780be3dca5aed8fa300ae2aaf7708a58da92e31865f2e81
Formbook
7083c8ed81099db6c891014f96b0a56b880ac92bcdc9c681869f74594c3a3a7b
Formbook
89a1bcbf5cbf06ae932e2c7fe045436200ef03336d4df4202b359c477f08acab
Formbook
9c9f18ea63037d0eedabba89626fef34946df41219c3f7ff9669b8bef92ab879
Formbook
aec9db4b3d08cfbfb3731dd3ad74d19678393c35ce00655ad99ee7a2e8f0d447
Formbook
da9da68aedd7dfc3cb324b9c91c2e0ce75ecb7abc0283b1aea395022f277978f
Formbook
ec6cebe1ace02965184a065528322e6b881abc1930d87223cfeafac4204c0bbc
Formbook
f0e160fc8c0dacffdd789b3a91933fd9c3d629077d25e29a4f69217220689374
Formbook
+ 2'535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230406-hr3xxsdg8z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2547b4aa547a791c7d640d05bbcf0ad0b9f3454602d237ce4d711094d876e094
MD5 hash:
9f8b91f9fb2c65536489e8c21d75c9ab
SHA1 hash:
4a8f9db9cbf35480450a0b7470847c548ff85098
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
Parent samples :
30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4
92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c
2209edf0bdf92002d675b50958adeffbffb6f8aabf27ca011e0528b453db566a
SH256 hash:
6f372a7a6382e1da81f1bf3ae434cf3944ba401938ce653bf6020df097aa9832
MD5 hash:
548c11d4d5a260b66852253016f20c8b
SHA1 hash:
c2616495c45ed8b158a2525715f4ba1961a88e1d
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
SH256 hash:
da70f9f92e5e470703b9e6f3658c6cb62cd43f1e7a3e21a053913afc022bb879
MD5 hash:
e895aa449f2d8e5a75cfdd437fbe6f0b
SHA1 hash:
ce724d2d70fe7ee92205188fa378dff587880b85
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
SH256 hash:
4a7651492eccfa5bdd18e0da03041e16b086cd91425a6d3053a5849a94cf1458
MD5 hash:
aa3b3d9101f53c9fe05142d30eaa1eba
SHA1 hash:
afce04c24afcd52dac220455b6d899a5b2ffe606
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
SH256 hash:
3f0931f2e20f733d1e9d6aee0fd6808a1f342913dd1e35eb80f46b327f6f492a
MD5 hash:
b02923c0412984689b470aeefc8cb72a
SHA1 hash:
7d17d5049503a3502e789a636aee6c31eeed8725
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
SH256 hash:
92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c
MD5 hash:
47ec48348daf4b7108c7c391c73b8620
SHA1 hash:
beca9d53430f99bdab16d443975f86c5cee3189c
Link:
https://www.unpac.me/results/64998899-32e7-4f9c-8f69-278ea7539c3c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92f8a10ac629/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380554/

Comments