MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06
SHA3-384 hash: 50dd6407202cc142f3c10a6243385727956ced97f194f66c5742408ba2030927812b5e8aca053e1a631c2a9d1c7be66d
SHA1 hash: 14f83588e4c9408da72a6df0b77d6b30c33f5f11
MD5 hash: 09a60f5008364c4ea7122478e550a2d5
humanhash: bacon-white-butter-moon
File name:SecuriteInfo.com.Win32.PWSX-gen.6654.20448
Download: download sample
Signature Formbook
Create hunting rule
File size:908'288 bytes
First seen:2023-07-25 10:32:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:XxkUHIcTrGCSGwiI2s2qZYTmO0hZ8P7QI5deH2Rah3:BhHIkrzSviIVGTIozpo
Threatray 3'447 similar samples on MalwareBazaar
TLSH T19F15AD9625A49FC6C0694FF844602D3413AA5EC82C28EA254DB530DF1937B8FB5F1EB7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 98e4c8d8dcd8dca3 (3 x Formbook, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.6654.20448
Verdict:
Malicious activity
Analysis date:
2023-07-25 10:36:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cfb53331-42e9-4c3d-8e60-48c888252e00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432112/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6654.20448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f809df15-29a2-4997-8bd0-62d642963648
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279040
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279040 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 5 other signatures 2->74 10 rlYvvBJZNYHIy.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.6654.20448.exe 7 2->13         started        process3 file4 82 Multi AV Scanner detection for dropped file 10->82 84 Machine Learning detection for dropped file 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 rlYvvBJZNYHIy.exe 10->16         started        19 schtasks.exe 1 10->19         started        48 C:\Users\user\AppData\...\rlYvvBJZNYHIy.exe, PE32 13->48 dropped 50 C:\...\rlYvvBJZNYHIy.exe:Zone.Identifier, ASCII 13->50 dropped 52 C:\Users\user\AppData\Local\...\tmpCDF2.tmp, XML 13->52 dropped 54 SecuriteInfo.com.W....6654.20448.exe.log, ASCII 13->54 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 13->88 90 Adds a directory exclusion to Windows Defender 13->90 92 Injects a PE file into a foreign processes 13->92 21 powershell.exe 21 13->21         started        23 powershell.exe 21 13->23         started        25 schtasks.exe 1 13->25         started        27 2 other processes 13->27 signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 16->62 64 Maps a DLL or memory area into another process 16->64 66 Queues an APC in another process (thread injection) 16->66 29 explorer.exe 1 16->29 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        process8 dnsIp9 56 shops.myshopify.com 23.227.38.74, 49685, 80 CLOUDFLARENETUS Canada 29->56 58 www.velvetdivan.store 29->58 60 3 other IPs or domains 29->60 94 System process connects to network (likely due to code injection or exploit) 29->94 41 mstsc.exe 29->41         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 41->76 78 Maps a DLL or memory area into another process 41->78 80 Tries to detect virtualization through RDTSC time measurements 41->80 44 cmd.exe 41->44         started        process13 process14 46 conhost.exe 44->46         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 07:29:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sw773wyjdqvsehytswskjty5x5fdvuuwhcsqhn6mqwciurizryda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12d7296fa8ee95861d67877223842af8b28608bc8ea32cdff1c269701da3727e
Formbook
21a3feee6f44d5a03971e5aced1f93b6bc28950d2729f411a477fdec605ec156
Formbook
5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
Formbook
8c5c20763f5514325caf9fd4aa11531658fbf52200ba359f4aa3d4c7284c464d
Formbook
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
Formbook
a2562e99d8118fcd1d9cd40b1811900664bb3bdd6de0caa5c1dfabd595091b66
Formbook
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
Formbook
df72be5f9ed3c15149f37c8fdb80683554f439257317837b0b6bb96dc4cac387
Formbook
e83d65ee23f397269dd89a621fba51c803ea65652d22679fe6e6dcdc16e798c5
Formbook
fe1140b9f51be2ad605b26a161f79839994aad33089412401912811eb6d569e0
Formbook
+ 3'437 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bi62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230725-mlh3saca98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
1a3d0678029be2b5ccd298d36fbebce6ce17904b8470fa136ca57350f0ceecd7
MD5 hash:
7e838024233d89a29dbc11a8be4fc2be
SHA1 hash:
2997af73458ecb23e91d4f0494fbbf19a3db916b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d2a1dc07-4eae-4846-8635-9229dc285f0d/
SH256 hash:
dff1063ff8b5c88e01cd689c9cc057a77608037a66ca117bc8fd1a6c2170858f
MD5 hash:
075394c285bbb277d34f07769018c41e
SHA1 hash:
b7be93e23c0e96d77914f2e1e53fe391f8e95a52
Link:
https://www.unpac.me/results/d2a1dc07-4eae-4846-8635-9229dc285f0d/
SH256 hash:
e1eeef7a9585e86f81033e20305bf97579145b98f30bab06ba35a63db417ab48
MD5 hash:
34d293b1ac49a23bf4799ee3172f097e
SHA1 hash:
a76f9c758aaeb9bcc288495291876b3d72a6c4fe
Link:
https://www.unpac.me/results/d2a1dc07-4eae-4846-8635-9229dc285f0d/
SH256 hash:
8a39cd2770e8c1cc2fd89de0fb4aee9b2756715b296b93d05ddec19e2f600e4d
MD5 hash:
598a483d34f9276d347782bc07572f37
SHA1 hash:
1e4385160571e5884c44667bf0a4c9353930d33d
Link:
https://www.unpac.me/results/d2a1dc07-4eae-4846-8635-9229dc285f0d/
SH256 hash:
95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06
MD5 hash:
09a60f5008364c4ea7122478e550a2d5
SHA1 hash:
14f83588e4c9408da72a6df0b77d6b30c33f5f11
Link:
https://www.unpac.me/results/d2a1dc07-4eae-4846-8635-9229dc285f0d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95bffddb091c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/432112/

Comments