MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
SHA3-384 hash: 42afe75f57a51c5a87dd86ab6e8f4c8d4958f7a99aa1e804378816beb59dc143223d539f49e3963c01b44b2740a49220
SHA1 hash: 46c3cf7c072cdf9c9e6863364c05d6a018abad8e
MD5 hash: bc943e23667a6e0e5a4dc8863c79902e
humanhash: south-mike-alabama-nitrogen
File name:TT Slip.pif.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:815'104 bytes
First seen:2024-06-04 13:24:40 UTC
Last seen:2024-06-10 10:46:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:0bCuDnzyYxdTaVW+J8CJA0gyO9tX6Ng8:krRlaz8CJAQGKNg
Threatray 249 similar samples on MalwareBazaar
TLSH T17205010233AD7702D57D4BF9046141500BB67E67A4A6C37EDDC620CF6962F9032ABB9B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3.exe
Verdict:
Malicious activity
Analysis date:
2024-06-04 13:26:00 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/6585288f-8115-4e0e-bb29-ae2dfd7746e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10020638-0
Create hunting rule

Win.Dropper.Nanocore-10024150-0
Create hunting rule

Win.Packed.LokiBot-10026312-0
Create hunting rule

Win.Packed.LokiBot-10027126-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665f418aab69e84d6a2f60fewin7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Msil Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/665f15afef9fdf64aa66ff3a/reports/c6418164-ac6f-44bc-a220-db1797979c54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e438522-a34b-42c0-a142-4b56043d0d12
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451759
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451759 Sample: TT Slip.pif.exe Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 61 www.lenovest.xyz 2->61 63 www.shopnow321.online 2->63 65 10 other IPs or domains 2->65 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 13 other signatures 2->87 10 TT Slip.pif.exe 7 2->10         started        14 csUeUTIHvnry.exe 5 2->14         started        signatures3 85 Performs DNS queries to domains with low reputation 61->85 process4 file5 53 C:\Users\user\AppData\...\csUeUTIHvnry.exe, PE32 10->53 dropped 55 C:\Users\...\csUeUTIHvnry.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp71CE.tmp, XML 10->57 dropped 59 C:\Users\user\AppData\...\TT Slip.pif.exe.log, ASCII 10->59 dropped 89 Adds a directory exclusion to Windows Defender 10->89 91 Injects a PE file into a foreign processes 10->91 16 TT Slip.pif.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        93 Antivirus detection for dropped file 14->93 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 25 schtasks.exe 1 14->25         started        27 csUeUTIHvnry.exe 14->27         started        29 csUeUTIHvnry.exe 14->29         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 31 gKxdGPYNhQoXfnUeVWi.exe 16->31 injected 75 Loading BitLocker PowerShell Module 19->75 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        process9 signatures10 107 Found direct / indirect Syscall (likely to bypass EDR) 31->107 44 compact.exe 31->44         started        process11 signatures12 99 Tries to steal Mail credentials (via file / registry access) 44->99 101 Tries to harvest and steal browser information (history, passwords, etc) 44->101 103 Modifies the context of a thread in another process (thread injection) 44->103 105 2 other signatures 44->105 47 gKxdGPYNhQoXfnUeVWi.exe 44->47 injected 51 firefox.exe 44->51         started        process13 dnsIp14 67 shahaf3d.com 64.46.118.35, 49752, 49753, 49754 SINGLEHOP-LLCUS United States 47->67 69 www.klimkina.pro 185.137.235.193, 49748, 49749, 49750 SELECTELRU Russian Federation 47->69 71 3 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3/
Threat name:
ByteCode-MSIL.Trojan.Dcstl
Create hunting rule
Status:
Malicious
First seen:
2024-06-04 00:17:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssay4p7vfyikat6nc5mycmba244qptqq5h3ja3xjr7jgy7nbhkrq._file
Verdict:
malicious
Similar samples:
5913da48fc0d4ebca6645a34254cb3a8a594841cd0b31b4e728b329b3a165498
Formbook
83d48e0c93caf20e68768cb684614e74b34b2708bc2f35754e3107db52ea4a80
Formbook
ca0e44de77ca87bdd8f7e6d9e1b778d45bbfd729a2d343c7c48cadfced235b3a
Formbook
eda2c26b8e51b2a9cc200c833885adcda86fe52f723dea2d6474172919aba937
Formbook
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240604-qnx69sha7t/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
63dac3a59d0a77ef2c50490df0602032664a113cb80c53cc686649be467e8be2
MD5 hash:
576bcab19ffe826ab1df342dcf621611
SHA1 hash:
aab4da2d28c0fb3254d86102db5e12f151f68d94
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
Parent samples :
94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
ec436ac4230b5aee3167ff520d0c1d9e0083749e15d93e5cf2294537816e83a0
fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
SH256 hash:
4c69437931f31ac36c7ca6801e4fa1dd896e525980fe1304994d7b2d4bec21b6
MD5 hash:
fd8b4d583f055880bc1337c9ce773406
SHA1 hash:
ad63e31f72f5b34dd6df74f381d5b41481d8c1c1
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
bd4a82c94d52ca03f034c0014a30e827c8162430594a6dd22ef286374dd2da61
MD5 hash:
2f1de55165a011c8773c8198189d0ff7
SHA1 hash:
cb6f32089baf3a417ce1482af0f6b6c9d183ba6f
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
4ed3b0a80feebddd6441815ea99334d7eab55813713a9aa2953412b767405bb8
MD5 hash:
e472f83fa7fb92da892e8ebda9d92112
SHA1 hash:
af8477c3b9530134042aed375122d395d91879e8
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
55729815a6ad44739f2af0c7a7096f4153fcc109d440f23d0d609065e96b625e
MD5 hash:
82a8fdab718d8d9c1c82472293a72e3d
SHA1 hash:
042c0d08baf858128d32c01476380e142891456e
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
5fc8bbcf4f8deb30fb261e6f5c57e7e7de2e245afd57d8834cd39e73739a121a
MD5 hash:
889d5fd89952a1499b44667b49a434d9
SHA1 hash:
f704d94aedd07948fa205a9add0d6126f631f48b
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
dc4d5c4403eb3a0a419dc9ac68880d0ff32d9189f8b6f40136c419a8fb6304bb
MD5 hash:
9717731a87b17fc116bf167107e279a6
SHA1 hash:
d45465916a12d8fa7833b74c71e8cdb0732a6db8
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
e34a62b4d40a2c1aa19a036d50e32c2fd8631692963f4f164a13cce4fe0c337e
MD5 hash:
967ad6a0c0fb1e6373f50d49876d3c3a
SHA1 hash:
c8f4efe11661f06324d2383f41d3c11210a809e2
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
bfa568a9f38f6d94d99447ecc503adc998552d84670fc835895caf386d2e477f
MD5 hash:
c954dd0d4392ee83ffd366ea96712f26
SHA1 hash:
91bbeac215d3ab26c32a4c38ac2630dad5008351
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
472af2b2f642af753184323f52a9eec4a0db8ee78052cfe56f6f58e68ce8b038
MD5 hash:
41aa7b61c8074902ad8aff2b90e057bd
SHA1 hash:
4edb2e0a3b91be8f344d67e5f0a6f313978274af
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
cd56b264255e94ba6e867dae2792d9494a723a90bc1095f4b79d355ac091c6b5
MD5 hash:
d75e269cd58589e65fe41bff0ca68c21
SHA1 hash:
200dadc28ed56ec24c97b920daec30a77c5c518c
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
SH256 hash:
94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
MD5 hash:
bc943e23667a6e0e5a4dc8863c79902e
SHA1 hash:
46c3cf7c072cdf9c9e6863364c05d6a018abad8e
Link:
https://www.unpac.me/results/d13622e0-2dc1-4766-9cce-4d2ecd9ca455/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94818e3ff52e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments