MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
SHA3-384 hash: 6333dea75c8e2058c03b60b2896192b290d59010182f0398588ff113aeba068abae2ee03faf1797df4f728675419e0e2
SHA1 hash: c9d83a6b1bd570c1e97a50486c8f457e914755cf
MD5 hash: 92585e003fdfa9636f19093c6092b4cf
humanhash: helium-iowa-london-early
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:748'032 bytes
First seen:2024-01-24 10:13:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:RJjLBJI3rJdyrfhtxtZrqZlAKuBvUUQmcz1p7vYc70u3m5+EiHLJPlw:RJjrurJdkhTtyALtQmcz1pkc7DC
TLSH T1F6F4E0AD7640B6EFC81BC93289A81C74E6206477530FD257A0531AECAE1E99BCF145F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 24cccaaacc99d264 (13 x AgentTesla, 8 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472690/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65b0e2f5eda27a7ac100c61c/reports/4e1bc89a-48dd-45f3-8d8c-af3206f2e187/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4cf2cb46-e927-438b-aaf7-51ba0e5441c8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1380189
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Deletes itself after installation
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 07:20:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sysiemzthrpq7izlrdeidxpacimvtoeyk2zgxeznyhsgellpnrza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240124-l9m6zaffhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
75593dd4b09d30f1f7cd5205511387083646348a75935cb91618665cebcad0cb
MD5 hash:
6532a770eca24c23d4b294c374c2c70d
SHA1 hash:
f52105c5503e9b69187f6f7ea3fe64d21e720aaf
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
SH256 hash:
684d9b909867e5e0623f37383cbaf077caa0577c31a86e49400a3c6444b502c3
MD5 hash:
4abb40a9878615994313cc4992ade282
SHA1 hash:
15b4362a0643ab8bea5b4a049dc58c907684701f
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
SH256 hash:
6aff372e6b46359727103c9761fa3106cfd85a66dbc4e3b17501aaf20954a3ac
MD5 hash:
41b02bdb062cac40500d33dd7648d8fc
SHA1 hash:
f14599c1c9aea39f034baa6f1bad41bc87499afd
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
SH256 hash:
292a0518841e86949acf831703623779d63591cc95ebc4030d00da3b72066c77
MD5 hash:
4d697347eedf1d51cc5fcf7a066621f1
SHA1 hash:
bb9398d6d9f9ff3c74aadee7cdac6e04fab4770d
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
SH256 hash:
853f530579b4aa0d5f36b83fb15310d1165c59906bc8dda245b686c26a2fe574
MD5 hash:
6dcd36e908965b3a3c4ab333fcbb6f4a
SHA1 hash:
2d4f917ce319c586cc77c54ee2c80616c5467d32
Detections:
Saudi_Phish_Trojan
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
Parent samples :
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
SH256 hash:
49f12025017c6a5aec4d4b5c661048b49e05635297a55aba88e28b8ca74ef0ce
MD5 hash:
66cb5e8d0fd00d3f69cc260ce48dec0c
SHA1 hash:
11fb2d2634ad099a38a9814b52b5e2778e7c9e89
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
SH256 hash:
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
MD5 hash:
92585e003fdfa9636f19093c6092b4cf
SHA1 hash:
c9d83a6b1bd570c1e97a50486c8f457e914755cf
Link:
https://www.unpac.me/results/10724968-e453-4943-9a8d-7421f6dd187a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/472690/

Comments