MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
SHA3-384 hash: 5747c99569625ce3d8988b26025ca3416a5015a16c92b565a7b828ea1e32a0e4724303e09b597a719e02846d76f4c065
SHA1 hash: a997a2b9a79c3951f74b8331d9d338f8db35add8
MD5 hash: c6240f16924f29d562206c72eca67e5f
humanhash: october-papa-solar-fourteen
File name:Halkbank_Ekstre_20092023_073809_405251-PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:738'304 bytes
First seen:2023-09-20 16:56:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:GdwUJ2iNtxooevkol51LT9Ox119zN11pB5zvwGVzhthsZQ+aE+iu:lUJ16oeMuT9Ox1nzNBBVVbKZQjH
Threatray 46 similar samples on MalwareBazaar
TLSH T153F4F164366CAFE3D67E63F44298990503F6652EA13EE3550CC374CB65A5F808B21FA3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20092023_073809_405251-PDF.exe
Verdict:
No threats detected
Analysis date:
2023-09-20 17:20:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/620946ec-d488-4438-8b7c-e51308a3b518

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450108/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650b246934be449f0117b43f/reports/5a736ae4-0a19-468d-9eb7-6890150908d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db6127ba-e67d-457b-a571-807a80359275
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1311743
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 12:55:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2rxbgubkyti7hnk5lbkvoogmfdjm7xrops5luxiudwyxxtvvnrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01b15d113f147c931149f8d1c883bbad3c3752cba08a96855774d21a3bb6e44a
Formbook
39fa589ea526a5070a88ddb3ef7e179f221552e2c90574b4480ac029ac634067
Formbook
63b59f1390003e44ffbd4460d2b6811586b1aaaf155a64186397002160b370c6
Formbook
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
Formbook
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Formbook
8132806c05668768f28af83ccb49438520dcb0ece18326db9698623152f35018
Formbook
8ceceb731a2c09d552835ade18b92d47e10e24cb34cdb4954b1a97905fd10b29
Formbook
9849e7217530267aa3ee1f84b0fbca828a72c296cd1db7c43fa8fe7f319b54eb
Formbook
efaaf9e72db8504655c4ae81958252dff7454667d9fd559d1f3a1a4b53a3c8ee
Formbook
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230920-vf9ybabe68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
4e1d0acd8df0963ae1023673fd70de7002e0b09ca934b85599424b3946874b73
MD5 hash:
28639e0149e13d41b1610e84202f72bb
SHA1 hash:
6eebf71af746de9df8923e4e7363e8cf65a492f7
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
SH256 hash:
a7dbdc2baafb2900d0c7c13a64217b4b5c09fe673631f0b9126c027380d93799
MD5 hash:
8658e3c2989701cced085171fdac955a
SHA1 hash:
e4c7caca0a993bdbfbde6d14d26b22435151ad60
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
SH256 hash:
ec24f29e58f224ec5f49b46f67ae8b747ab464199d23f371aa66c9af89c2af5b
MD5 hash:
4558966bbe1c8f9514091a0e22c6cc7c
SHA1 hash:
b6bf2723177524a94e54ddb8036d09d8ae585c2c
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
SH256 hash:
f81eaa1abe14620a12d66f2906fb74536570f579489befc12d985b2483d17ff8
MD5 hash:
6a1985480d88415dab4af9e77965933d
SHA1 hash:
36ac47cd70012c3057281fed60665f59cdacf28c
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
SH256 hash:
96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63
MD5 hash:
c6240f16924f29d562206c72eca67e5f
SHA1 hash:
a997a2b9a79c3951f74b8331d9d338f8db35add8
Link:
https://www.unpac.me/results/0f02fcee-5717-471c-8dd7-52fc5cb241c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 96a3709a8156268f9daaeac2aab9c66146967ef173e5d5d2e8a0ed8bde75ab63

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450108/

Comments