MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
SHA3-384 hash: c3b0c30cfa3d133049af7072f9e3eddfaa8c5e00676f5d6eb9d114c0b1c5e7d6a809df3d86a53ab4a72c90741bdcaa35
SHA1 hash: fceda81f6b0ae34f9463a9d65a997056d2ff848a
MD5 hash: cb5f40ff52a602bc28bf91184d5291a3
humanhash: lima-skylark-salami-undress
File name:cb5f40ff52a602bc28bf91184d5291a3
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2023-03-15 01:29:25 UTC
Last seen:2023-03-15 03:28:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2sMSz4oqtmUznWCc8IpvGVwT5gp4w/0da7:snWIItGVwT6Md
TLSH T13515AE83E8CB72DEE9185932C6C06AFD7B549EF160E6D73C2FB982D4901460196873E7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d49e21a296968660 (11 x AgentTesla, 9 x Loki, 8 x SnakeKeylogger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
KR KR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb5f40ff52a602bc28bf91184d5291a3
Verdict:
No threats detected
Analysis date:
2023-03-15 01:31:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7402304f-f82a-4a16-b050-8baac83af169

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374421/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
71%
Tags:
packed
Link:
https://www.filescan.io/uploads/64111f9e2477a9bb41e3af03/reports/d4f4bb32-373b-480d-8e74-023d53f73702/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9df91216-59e3-4ea1-93c4-3f29b31b9f9a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193826
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826727 Sample: q9TszZR9W5.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 q9TszZR9W5.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\q9TszZR9W5.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 q9TszZR9W5.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 4 1 14->17 injected process8 dnsIp9 30 www.jjzb10a.xyz 17->30 32 www.huluxia2.xyz 17->32 34 7 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 08:26:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufmmwzvpjxssuscf4qttqn4oqvenx3lc7alaqrku36za33vuawgq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dr62 rat spyware stealer trojan
Link:
https://tria.ge/reports/230315-bwt29acg21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
d8f0232a14c9ab086e670933be20e0e50598fbbcbf6971b45e2b2913e1330a86
MD5 hash:
8255e269995d02bb36722998bf8077b5
SHA1 hash:
4b6df72b84f912b11d0289e05d95cf9335e34e79
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
Parent samples :
9784d4f3af63382e92105496844b25bc4e42e92305b7707c3fd6451c98c391f6
a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
d47eb4bff603d2015f8dc6512a51e8b37e42c53d7760ceb0bcf34ea875200d14
9895575b7f29abeddb92d3c078a06929876212e7980605727e46b2e88974a7ec
SH256 hash:
79383187b30f8ce7d7aec15a4fb2fedea84fbdd23e9095119be49e1848c1234c
MD5 hash:
97fad0d923a4a95e34e1857ad026725f
SHA1 hash:
d7ceb1314bcbb31e22100adf4e7bbfaf9e3e4462
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
SH256 hash:
f895769f0c0014c630ef6da430b0be49e09b2b09961e867f2e9c9b3c9a3366ad
MD5 hash:
c68abe610968557e2c047d9e4423f507
SHA1 hash:
9b1ec7249cd0671a65c5c8be3abc70d693ec6f20
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
e7ba753b7c22abefec7148f209d8a2f9b402064487de82d22db7baa10b0db9c3
MD5 hash:
5a514b1787da12cfb09ae0d4f977a7a0
SHA1 hash:
6de16b7bb53049e0b976373adc8c608163fde6ad
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
SH256 hash:
a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d
MD5 hash:
cb5f40ff52a602bc28bf91184d5291a3
SHA1 hash:
fceda81f6b0ae34f9463a9d65a997056d2ff848a
Link:
https://www.unpac.me/results/850fdd5b-774d-4f0c-bc21-d36f8d84b56f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a158cb66af4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/a158cb66af4de52a4845e42738378e8548dbed62f816084554dfb20deeb4058d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374421/

Comments