MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c
SHA3-384 hash: 497ebdf96e2bb9c7ccf26184ba3398393dfc78baa0e7196b6fc3b63a7a6aa5237d314ccedc978a2fc1b6114963d032c1
SHA1 hash: 3e947be1b6a6460dc146b3ddb6669c5936effa2c
MD5 hash: b433a859a4e3921530a949b2cbdf833e
humanhash: two-artist-juliet-kilo
File name:04251452615625625.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:974'848 bytes
First seen:2024-03-21 08:21:46 UTC
Last seen:2024-03-21 10:27:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:AfMUuHZrFTGYkPGckyiGj7D11MTBNB1vTFegPdY+kj8udpY:UUrwY6GckI7HMTBNB1vT8gFY+k4w
Threatray 681 similar samples on MalwareBazaar
TLSH T143256ED1F15088DAED6B0AF16D2BA53025D77E9C54A4810C5A9EBB1B36F3342209FE1F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
339
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 08:42:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df821671-3b94-405e-8947-35b316ad22fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fbee2f87137159d44cf144/reports/9f4f6547-e3fa-4ffb-9e4f-4e40582012c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a919395-a524-478d-838b-8b4a863b65fb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1413035
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1413035 Sample: 04251452615625625.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 92 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected FormBook 2->32 34 3 other signatures 2->34 8 04251452615625625.exe 3 2->8         started        process3 process4 10 04251452615625625.exe 8->10         started        13 MoUsoCoreWorker.exe 26 8->13         started        15 04251452615625625.exe 8->15         started        signatures5 36 Maps a DLL or memory area into another process 10->36 17 ebDdmUnvzqFuNSfE.exe 10->17 injected 20 ebDdmUnvzqFuNSfE.exe 10->20 injected 38 Query firmware table information (likely to detect VMs) 13->38 process6 signatures7 26 Found direct / indirect Syscall (likely to bypass EDR) 17->26 22 WerFault.exe 21 17->22         started        24 WerFault.exe 21 20->24         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-03-20 08:14:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7hvuok6k7nq3a5atwxnlqqbbrp63tuknlfojxrnsy7m3fkqocga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
54a4891d6753b4acaa07bb6c01aebcb44a0140ffc05ccdc53785a74365969585
Formbook
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
Formbook
789fabbbfa7aee3dcb77932312bb7a4a8facae1327dfd834c966ebb5aa7aea65
Formbook
b0b90ffc1bf2e33f057981b8d2451df026fc5179df8774f1cd647ff0a5bf89fd
Formbook
dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647
Formbook
e0063d0d5bebd7b349f970ec640d1e14ccba6e766999bfd630ac52e791e2dc65
Formbook
+ 671 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240321-j9kdzagf7w/
Behaviour
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
0c6d69a44ab790d2b5c969bb6fe745922c021c5a8045db416d95d66fea7f6949
MD5 hash:
d4fa28533a5dab916e6b1b29272d9894
SHA1 hash:
0b525a5bef5a0a5588f6d5279eae2760df5dcb60
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
SH256 hash:
a99197a2e3f477d15802a9b2250a01f7cd2be8ed435141a4e280307f2a7f2b7a
MD5 hash:
9ac50796df27f8b3977d71000d15927c
SHA1 hash:
dcf769debf4522b0800188ab9cbef26d1dbe8aed
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
SH256 hash:
8a42144bfaed7278d478bb226c64cfad8abd909f2f4ce18ed17018eebbd590dd
MD5 hash:
10f2dcb1aa3ec0d37027968d347b257a
SHA1 hash:
b2d1181f17169f535a8bfa614c21aab23260155b
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
SH256 hash:
6e560b9e0152e9bcc0c8553c733ff067b66e371d2443bd1f9fad1b80d9e36ffa
MD5 hash:
cbb2b481e9087e9db8506f7e99c107a9
SHA1 hash:
918632d542ec4801f953a8b44c7cecd9fdc92627
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
SH256 hash:
b881c4bf6c05d939eb80592ab765faf55917199906bfb6ea71134a49da83b415
MD5 hash:
70bb35272438652f08256ba10b64386d
SHA1 hash:
8a4cc15f32618fb7660b7c056910f956bd86b99a
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
Parent samples :
86548927a6a677ef5b188069d885fd755d56dcd21ba7b01c96915ec888c86846
97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c
fc9a9c10b989fb790466a432945be2a122151bd634013222bfd87469a9f4d584
SH256 hash:
97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c
MD5 hash:
b433a859a4e3921530a949b2cbdf833e
SHA1 hash:
3e947be1b6a6460dc146b3ddb6669c5936effa2c
Link:
https://www.unpac.me/results/3984c574-4373-4838-bed0-6bb0a2b48fa1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97cf5a395e57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 97cf5a395e57db0d83a09daed5c2010c5fedce8a6acae4de2d963ecd9550708c

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments