MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf
SHA3-384 hash: 8c4967a136a53362b1c80963e86f5bcec2cb4a002b7df417325c0624c082f002a58c7ce2ea799a93985d0815e682fdff
SHA1 hash: aafd16cf8076743db24121e5198408642a618a3e
MD5 hash: 474296e9771f4f3381571330ce5d0761
humanhash: arkansas-yankee-black-winner
File name:474296e9771f4f3381571330ce5d0761
Download: download sample
Signature Formbook
Create hunting rule
File size:663'552 bytes
First seen:2023-11-24 04:45:48 UTC
Last seen:2023-11-24 06:14:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:R1k1ELt0bzdw4autdTop4+Q89HznBxwAX3nF5q:c1OJXugp4bEHDLXX2
Threatray 326 similar samples on MalwareBazaar
TLSH T164E412387AFF2B33C9B127F94534414083F472A926A1F35A9DCA91EA0566B010F91FB7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
New Text Document.bin.zip
Verdict:
Malicious activity
Analysis date:
2023-11-24 06:50:50 UTC
Tags:
loader stealer nanocore rat remote privateloader evasion opendir stealc amadey botnet arechclient2 backdoor miner smoke risepro kelihos trojan lumma redline zgrat socks5systemz
Link:
https://app.any.run/tasks/44d0ad6f-d31d-4038-b723-8e2d87c28c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459947/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.5976.10459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65602a8a0a09154b1925d1d8/reports/54097cbe-7f9b-4290-ae8e-5a4c856d9ae2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4060969d-79b2-4ca1-956d-96c43ce47262
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347208
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 06:13:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugdcweblzomwyq6oces64pdo7gfv2avaz3u7hnqfe2monkm2e67q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2edd2b7b66e306c4e5b880fa407528694b88a9a65cfe2bf063aed45e6060803e
Formbook
360937271a1d61e89c3be7d77f79c686292a3feff0a4b1f53d1999b51c0037fa
Formbook
40203565c21de2f3923f1c4bb185068706f0bf56366cb099e6483737020b2ae3
Formbook
9761c8e02b65302ac53c1354d1b9c0ae5799523213d96e0b941df7699f0fa722
Formbook
be9fa4bd2766fc5e1d06a60c8e9fffcdb6d0c7cded097234b573abf97a19cc41
Formbook
f45cce1292aa30dc88decc03fe81e7c10a64e4302eb1e3faa81c385e36d2a1ff
Formbook
fa2c88f99a6730657c40165e33846ad3b90c462cadf9670ead80b2fda9e36584
Formbook
+ 316 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231124-fdy1psgf6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
20ed49e76c0f66e01d834e1b86acdf3747bf1b49a5b675efc164d8ddc693df87
MD5 hash:
f52f60773ea4e90dcd6e4d3eb0136007
SHA1 hash:
b463168811d07cdd0a0033e2ca84616a7783f3c9
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
SH256 hash:
10aeb41a28889c9e4774541d489af965e6e10895a69454c1a7d5ed732c8305fa
MD5 hash:
af58a9ed31a3388c85dad05182f615f7
SHA1 hash:
7b750781db7728d3e5c1c69f0ddabbdc33f95a61
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
SH256 hash:
4ae3c96439093b2627931bc9f86c30a8aebcc842160689015e442caaf4e145d3
MD5 hash:
b4ac6241843191e8bfecc585ef549d92
SHA1 hash:
ef465b6d047b365c8a577c3c32f986eab9a79765
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
SH256 hash:
797e57bd74a68f7b4808a213f5c319ee4f4b023bc73088175d4393dfee9fe329
MD5 hash:
3c927935fbd608e7628cc2c5ad7d52fd
SHA1 hash:
ee0c880c0614ac960fd641f7d479233584aed1d8
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
SH256 hash:
0e04355fb6522a01885d032fd297b0cbfcf94fc3f5c879946eb77ccb8b0f55f0
MD5 hash:
1258df2cbe5760268b36fc1f5bb4c202
SHA1 hash:
3bb350f7e7644d5aabfa693897cec502b5657a8a
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
SH256 hash:
a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf
MD5 hash:
474296e9771f4f3381571330ce5d0761
SHA1 hash:
aafd16cf8076743db24121e5198408642a618a3e
Link:
https://www.unpac.me/results/5b344dd0-cd49-4eeb-aed0-dfa086ccf229/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a1862b102bcb996c43ce1125ee3c6ef98b5d02a0cee9f3b6052698e6a99a27bf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2734930/
Cape
Cape
https://www.capesandbox.com/analysis/459947/

Comments


Avatar
zbet commented on 2023-11-24 04:45:49 UTC

url : hxxp://zang1.almashreaq.top/_errorpages/assadzx.exe