MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d
SHA3-384 hash: 620f765553b082c853eaeb0e023d5449dfaf5ba303f4ae9d2f9f3b6ef4eb9f145b519800aff690a7608ec4c960bb603a
SHA1 hash: c592bbbe8124236a1107f2462ce551d4a56ad5df
MD5 hash: 443f20873a076fb8c211051bf021508c
humanhash: robert-winner-avocado-hamper
File name:D5678-9876500D.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'066'270 bytes
First seen:2022-10-21 07:43:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 24576:XblN0cOMT0j3ynyNw5orUsXQAKZNA46jgPd3:LliQ0jyyj/g9uod3
Threatray 247 similar samples on MalwareBazaar
TLSH T18235003A29379065FEFDC1317DD4B391126839BFADC80F86E640BAC531B36D216B0666
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D5678-9876500D.exe
Verdict:
Malicious activity
Analysis date:
2022-10-21 07:45:54 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/ab490e39-4d29-4053-b936-3e378f503ec4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322215/
Detection(s):
Win.Malware.Autoit-9973193-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44078/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63524dc4b5f60e72b8c7b821/reports/af1f0e47-22cc-4659-90a3-2743e2951f71/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20a91b22-6072-4d26-a2cb-f1988cb159d4
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094694
Signature
Antivirus detection for dropped file
Drops PE files to the user root directory
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 727332 Sample: D5678-9876500D.exe Startdate: 21/10/2022 Architecture: WINDOWS Score: 100 40 Antivirus detection for dropped file 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 7 D5678-9876500D.exe 19 2->7         started        10 bykqtwdjloltc.exe 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\nvxtf.exe, PE32 7->28 dropped 12 nvxtf.exe 1 5 7->12         started        process5 file6 30 C:\Users\user\AppData\...\bykqtwdjloltc.exe, PE32 12->30 dropped 32 C:\Users\user\AppData\Local\Temp\6C96.tmp, PE32 12->32 dropped 34 C:\Users\user\AppData\Local\Temp\64F4.tmp, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\Temp\5C29.tmp, PE32 12->36 dropped 48 Drops PE files to the user root directory 12->48 50 Found hidden mapped module (file has been removed from disk) 12->50 52 Maps a DLL or memory area into another process 12->52 54 Writes or reads registry keys via WMI 12->54 16 nvxtf.exe 3 12->16         started        20 nvxtf.exe 12->20         started        22 nvxtf.exe 12->22         started        24 SgrmBroker.exe 12->24         started        signatures7 process8 file9 26 C:\Users\Public\vbsqlite3.dll, PE32 16->26 dropped 38 Tries to harvest and steal browser information (history, passwords, etc) 16->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 03:08:41 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uagbvtekfkq4deiswa3rugp2bntshad2rhjkuqgrom7pvymhiuoq._file
Verdict:
malicious
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
Formbook
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
Formbook
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
Formbook
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
Formbook
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
Formbook
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d
Formbook
d6184367b93e40e22f209756274697796820542d46d80ef74d810b2b8785bedd
Formbook
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
Formbook
fae591d3e1cea136791a06b8c59265af25eccf0d30b8500c9e8c664708e1937a
Formbook
+ 237 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221021-jktlcaaag7/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/292a34a1-0cd6-49ee-b830-57a5900d3c35
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/bb6f1dc6-ec06-40f5-9597-882f391b1400/
SH256 hash:
f1918efc55b55fd592de641f406eedda0356923b10d65ddab275963f2617383b
MD5 hash:
9b064a099506155df7498adf7db6a674
SHA1 hash:
de7a8e170dc49dfde0cb07dc27a854cf4ea0eb29
Link:
https://www.unpac.me/results/bb6f1dc6-ec06-40f5-9597-882f391b1400/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/bb6f1dc6-ec06-40f5-9597-882f391b1400/
SH256 hash:
a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d
MD5 hash:
443f20873a076fb8c211051bf021508c
SHA1 hash:
c592bbbe8124236a1107f2462ce551d4a56ad5df
Link:
https://www.unpac.me/results/bb6f1dc6-ec06-40f5-9597-882f391b1400/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 50af107e222511f18c5abf1a2c5e3327b282148e5d76b086559fda85e3b01d04

Formbook

Executable exe a00c1acc8a2aa1c19112b0371a19fa0b6723807a89d2aa40d1733efae187451d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 50af107e222511f18c5abf1a2c5e3327b282148e5d76b086559fda85e3b01d04
Cape
Cape
https://www.capesandbox.com/analysis/322215/
  
Dropped by
MD5 4f62e76a76917d307ad36d8911d083a3

Comments