MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 22 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f
SHA3-384 hash: 243db4f82e8566bb302c1815813e509c54760bdd8fa95de7817936edf5820f8efc519b6839dd73f88b825b528f179e71
SHA1 hash: d00b4d865bc1b3e9b17970e95c45b8efb9e25a16
MD5 hash: 9aeed55e2703a03cf9e922dc695db1ab
humanhash: massachusetts-harry-pluto-tennessee
File name:9aeed55e2703a03cf9e922dc695db1ab
Download: download sample
Signature Formbook
Create hunting rule
File size:952'832 bytes
First seen:2023-11-27 15:53:38 UTC
Last seen:2023-11-27 17:17:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:1F8Q5W9t5E9XB1TXiHgM1APoJwCMbtmrebPKT4GYfpBhtD/:detAvTX2g8SonryPKTjY3
Threatray 146 similar samples on MalwareBazaar
TLSH T1761512967A5C9FC7D53F07F61A40E00457F26E396072E30E6CC275DB8AA2F9153A1A23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460758/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2548.22515.15258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6564bb9bbcca970107cf16b7/reports/5dee0b93-dbe7-4895-9db6-95e2b87ac6c3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a4c106a-8224-4bd9-b41e-c99a5edf3f85
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348718
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 14:19:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvpmf4gd5pxyq35qetjri7xh774mcyuvl34okpawdicot7m5mu7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10f863afc82cd61fdc8a55bc67e2726401ac51c4e9647ddd19dbf1ea30df9e09
Formbook
19c50b3c8e3c4e074f378c9df1f484ca4f79c49fb2310880dad80eb09433f2fd
Formbook
4cac61484c84732dbe188caa0a13f8a688299c46a9d689b4b90fc76f299fe8d1
Formbook
4d5e7328c921bb038230d1e5bf189caf0e872b5c78c6a98b05526a3d876e8623
Formbook
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Formbook
ece7b97dcb7fcba52f0b348578e52178bbb7bcc22540ed9123997b90c14323e8
Formbook
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231127-tb7fyshf47/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c4db24ba598dcc15e458176c4023931cd2b9957716ddf7ffb5af74ce07c98355
MD5 hash:
41bbdbcd06093931a1bc4a6fa411b869
SHA1 hash:
dbc72399ebdb63539d34c63f743c41ff4c8dcaea
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
SH256 hash:
d77dc3dbf2bcee738adc6a1c0ba1d512e1aaef9a9af0c6c724ee6c2dc2174274
MD5 hash:
368252a4ea25fb3f02788cd1acd219a6
SHA1 hash:
272c0533896a4cb37b73d498ecf17cd451b4a703
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
SH256 hash:
2a0290a662e89a81ed2d9c73e54a0aeba209fc36617f134cf0aaa74690db47db
MD5 hash:
4820945deb84d6bd26460e8a6ba0c622
SHA1 hash:
c519540ad21594fa45fcc2e6e15cfbea8b3449b9
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
SH256 hash:
818b24c8a939548a20b2f402b6073a1289a7bb30348d3f10c30ac8a53a4d935f
MD5 hash:
3bc2f379521bab0acb4b73f363be1253
SHA1 hash:
1f1204b343823ffa9f6245eb8ef5acc1932ecae5
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
SH256 hash:
a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f
MD5 hash:
9aeed55e2703a03cf9e922dc695db1ab
SHA1 hash:
d00b4d865bc1b3e9b17970e95c45b8efb9e25a16
Link:
https://www.unpac.me/results/719b4c34-3f13-4b67-8213-6f99cb4ec1f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a55ec2f0c3ebef886fb024d3147ee7fff8c162955ef8e53c161a04e9fd9d653f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735608/
Cape
Cape
https://www.capesandbox.com/analysis/460758/

Comments


Avatar
zbet commented on 2023-11-27 15:53:39 UTC

url : hxxp://172.245.208.19/119/wlanext.exe