MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927
SHA3-384 hash:	ff94a045a64744213e22f6dd060882dbfb098a0f17251f58f47acde0ab96e3fe35dfeffff0389e09cc71de9de5a3899b
SHA1 hash:	d6b713d71d3b9db28ab4855d1e0a78d2a922d91e
MD5 hash:	dc93c31c67b6d9e65cdc68e26f8816a6
humanhash:	quiet-beer-potato-beer
File name:	swift code.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	950'784 bytes
First seen:	2022-09-13 12:22:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ul2x1/AXvLWxDucK7ReeXtAt5Y8gnaQpeb2VANPEgvdUS:pqTN70eXs5Y1nMb2V/gaS
Threatray	14'256 similar samples on MalwareBazaar
TLSH	T1C0152C0721C54DA5C17250BC24CCC5B75B6A9E45E63BC942BFC9BDAFF1B2F2846D22A0
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	71d4f0f0f0f0d0f2 (11 x Formbook, 6 x AgentTesla, 5 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309728/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.42577.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/632076f0b564f001cc8223bc/reports/370476ec-6049-4d42-a505-a0ac3f343f02/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc6bf8f8-4899-4b5c-aef8-7e5fdc9f2373

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1069454

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-12 13:43:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 25 (68.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uqk2sh2gyazql5njjnyz6b5bjt7fzvexvpnfi5rnzxkdj2oubetq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2d3125445c6c91b94fa30dc9e67ac60913014e1bfdf8cf0868ff7d0dd838839f

Formbook

577b86660674d1a71218a077a47bffeec8c618153b66ca4205fcfcaf2cf020c9

Formbook

69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175

Formbook

a139b8fab8e24344af7b4f5a261440cb81449a71449e20e1ab16abdd4e35e909

Formbook

b96b285d4a28e1c31ca5c844fc8a9c6ff61a7dc3e283d5dc26ad697af46b8df0

Formbook

be702722d3bc33164534d9eae10457f1344d855ffc1c94dba5c40b97ef144052

Formbook

dac75f90478b07cd9c53c36a4d2b01e73b7e31554a9bfec57bd328031ec15017

Formbook

ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616

Formbook

ea40e7d13c60b9e59430c04c98eb834e0f64fc9f30cf9140726ca8713e843270

Formbook

+ 14'246 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ejgp rat spyware stealer trojan

Link:

https://tria.ge/reports/220913-pkfx5sfeh2/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Reads user/profile data of web browsers

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ae27e2b4-5ead-4609-9e4e-e9b18836425b

Unpacked files

SH256 hash:

dc0b78b8dff95f26b817b087014f09106b2801b9f72d4b5d663c88d032a09718

MD5 hash:

d7635bbf67d9f1e7c6c6a41027b71b4d

SHA1 hash:

63dc09d51b28890543d813f013bfc98a249958dc

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

Parent samples :

fc437e069c626c4380522863a5329fc7b4aae8330903cdf13eeef54445ab6898
f9cb260e8f4d7486c00f8ead190336a776adbaeab55b514ce808e9c9e6c407dc
1a1523496f14c5d3a3c0cac4e0a5a19a782cb9c6bb2ab6a984bff04cd2ccdd36
ef485b6c343128cd8c40897fe6613cf65d759e330bdf6c6925f2fd7168ff4f06
f47848fb64be8caf6c55a0e4d8773a383ce526c10d072417b3e13edd04b9e73b
7caa5e395127eeb881461690c8c3f47252bee4e42c2b69716fe5fcb8d62b5fef
3014d818f3e7c9dc6feda171ba1370ca613e9a12238ec69ae3c5908a7f8483e7
582b9f31ea52585e315523385506389d3ab7bc50ffe1c5e1ff7f83aed0f1535b
e58b63e862b6038f3c96fc8224ec3c493321e5862b45704c5e3185224426167e
f6d985f7f6ea28d32427fd4543b310febacc8bd94e296c6aee33ae8532c9cae3
d1bb2951d655bd250df5eab810403bf4ca4f37f7bf38a641c74cfc1908464dc6
db43d92fb68d224b483a10ca9ef9e0da10f9073f9a17eb5e532cf8a20a449625
192270166e17780c5b1de39e0b906115798df4185b2413dedcbebd114a01a5e1
1b5882c4ba74d1cc2367938d0dd85e8c651887309d9c0abab0587d903878229e
a044da065d4eaf497ccc5365580e78eaea4411b8650e62052407f16afbb150ca
71b8d65f48ae74c35083b832b4ae5acb5564f744e5895a666f332392bce335cd
2a8df78b05fd8f497ed976ca4db985249c2c6b250850619168d5ee56b4c3d4a4
eb5553282526065116c7a3beaf3c707052f9268b5598fac475f6f96c88080419
16ba659d813dfa2c6d143c32c493f56266d9a408ec75b01b0aa019db2dad216c
41cd3397a694531836178ec9ceec2d7e2b127049bcd9e6a8bdd483728809624d
90d4d8f68b8e94514add55bedfb36e7bbe3bcc1781d6e00b0bc3bfaabe1d9301
3bfc405f340396a4b679a770d8232aec67f5e42d43c9f8b14aa3b689d444b917
49357eea6bdaa8334590e3cae0e14a265730944feef1792298bce6a13d7d54a8
a139b8fab8e24344af7b4f5a261440cb81449a71449e20e1ab16abdd4e35e909
ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616
dac75f90478b07cd9c53c36a4d2b01e73b7e31554a9bfec57bd328031ec15017
0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d
69870e2a61815839fdc55f251a07c89580dc6c1725f850288c4dc190c08b7175
041ee64deb9710bd802be8d6b2cdcf5623cd8ab974a52fe4bc4e4add965bb08d
b96b285d4a28e1c31ca5c844fc8a9c6ff61a7dc3e283d5dc26ad697af46b8df0
be702722d3bc33164534d9eae10457f1344d855ffc1c94dba5c40b97ef144052
443123bad678f73d1fa804d131c23f0ab5a334601de7e4b2681d9e5e2c03bc42
5db9ee8081b4a9e2359bd67b65edeec998aa12fb995a441adcec6e450f0fe6aa
d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10
a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927
413ad4daf54c1b3c50f35aa2afb87a3582589599bb20085ccb7b89eb5acccee8
6beb15ecc2ebf386675a66585a253327e094c1c654f3cbe7fe93f8cca3c35b45
3dfbf2852a3ceda68d8e1b2d5e31a440b8ff30c4ed56e8952a9a614dfb2bb008
cf6bd9457b03ee9d17e0249c7d504d02eb902cc67dd1973119cf658531240e56
0f4847c04b273a0cc37ba6f7f9d4d9b3eb2685c3465cda610f90a0afa8440c9f
6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab
1e68a25ee97601a9898f7af37b64a160c22db3bd8442888912e570bbdf7c5e48
9d3234fef11c8917c540d371dfe4cd268a737bc62cf900997752634c7124f634

SH256 hash:

41f7c9d8b89d4db744007d474fe5de72c1b3f27709876f8899d68ef173a38029

MD5 hash:

89d0806d9d72913e81dd1c0727d5bd14

SHA1 hash:

ee36c0dbe65b11aecd5eb3a0c0ae72954ff9f2d1

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

SH256 hash:

b216c2a75d9fd4f7c0d04af7a9c07ffcf3a51849160a59ddb54ddcfe60eecdcc

MD5 hash:

d247868c522dd0a3620d353838242a1a

SHA1 hash:

8fdcda29003eb996bb960d6889c705de6429f85b

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

SH256 hash:

a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927

MD5 hash:

dc93c31c67b6d9e65cdc68e26f8816a6

SHA1 hash:

d6b713d71d3b9db28ab4855d1e0a78d2a922d91e

Link:

https://www.unpac.me/results/a764925a-0883-4c1e-9546-ef34d935a80c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a415a91f46c0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe a415a91f46c03305f5a94b719f07a14cfe5cd497abda54762dcdd434e9d40927

(this sample)

Dropped by

Formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/309728/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample