MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4
SHA3-384 hash:	c711c1648f02acc6e24e408bf785e732cc13d799d0f7afc3b2234546169e6c5ad67417c58a60756c7377e21acda069b0
SHA1 hash:	420615f2ebdaa64394493e56fee595cea716b311
MD5 hash:	39ce57bc9efb0433750944901c485a63
humanhash:	paris-king-violet-robin
File name:	SecuriteInfo.com.Win32.PWSX-gen.28712.14694
Download:	download sample
Signature	Formbook Create hunting rule
File size:	668'160 bytes
First seen:	2023-09-18 11:54:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:GAfDuHOXkkVmQEwSTZm4TOhufno1EYk03JhM7RB2qZylfbdA2ZD8:GgqkVmQEwSTZtTOhgYtvM7RB2qE8
Threatray	24 similar samples on MalwareBazaar
TLSH	T1E4E4D0DA3160729FC93BC0F29E641E60A670A6AB4307A546942375DEDACDAC7CF105F3
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.28712.14694

Verdict:

No threats detected

Analysis date:

2023-09-18 11:57:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1fbd6548-582c-47d2-b0de-6ad5b20a2e58

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/449337/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.28712.14694.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65083a9983a0c6425df84816/reports/d61f1b14-2434-407e-a432-a48189684127/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/046162d8-649e-4d9d-8097-66675356c2af

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1309981

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4/

Threat name:

ByteCode-MSIL.Trojan.Spynoon

Status:

Malicious

First seen:

2023-09-18 10:56:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvyevwn3eekgjx7yqktwozjyjixe5u6powckrsrycnrqjvtzttca._file

Verdict:

malicious

Label(s):

formbook

Formbook

120efb48724487028465fb5d25db17b9398f56bad7116e54299ab5087104e69b

Formbook

20174c141584b7674b7b97ab3afdfa6bbcd8b01e868ddae97fd080f8a6c904c7

Formbook

4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1

Formbook

4a63fd45dcc97cf19892173f6101ff932109f8e3c382db28ea077c63a65f203d

Formbook

a456a0fcdedef851458b225f6bae02f6ee4e9ff6e1d479376d3766497aea8ac2

Formbook

c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d

Formbook

c57dc032205e3bcbf86a8dc6053377976c6acc015a837fdb1c30f6ec8d37ab01

Formbook

+ 14 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230918-n3fjnahb3w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7849b6c0f255f37092349b1755b3d03897c472d0867462a154786ace92616ee1

MD5 hash:

ae2ec9d68f3a1dc6d375b8c0356f8d10

SHA1 hash:

cca41540b6a4504dcaa6930900aeaf19466ad173

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

Parent samples :

a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4
b334948991343e7c83707d03ba19c913841e49022c74c1f890f036bdbc04071c
b59acfb5b280cb3a10b0fc0d758187750063096dc6690b6d2541ad036b816acf
581c56d24fa3b9fa4d7e3d3e62b1b66206a8ec8b4ee35e11c6dda562f8e6e639

SH256 hash:

a169ff30325aba709ef138d002d5def8d5def5729cafc3a856e56f577ccde034

MD5 hash:

982a462675182d6a83ad143da4166b54

SHA1 hash:

7df90c8b6fd3f501988367b7a81b94a0c0d93b0c

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

SH256 hash:

4a8d70ece798fb6955e46bdb4b4813924a3bbcf205e585fd0aef148123a44489

MD5 hash:

3bcd5e9d69da03ebe27b9c2e472d9e8d

SHA1 hash:

aa268bd00ed60a5907b4b2a669ddd21a1b8bb4da

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

SH256 hash:

22cfceefc57f00ec89464de278008f62827d628b803a5ebb46a9842aa8469448

MD5 hash:

5d64c5662f61d35e0abb6eb0e46869d7

SHA1 hash:

3342c4cf131e73eba4fc9fbf5a6856b8082979f8

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

SH256 hash:

784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80

MD5 hash:

5caf74e6818e40e82651781613a42425

SHA1 hash:

2a182b1552373e0907bfd03db31120596df994d0

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

SH256 hash:

a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4

MD5 hash:

39ce57bc9efb0433750944901c485a63

SHA1 hash:

420615f2ebdaa64394493e56fee595cea716b311

Link:

https://www.unpac.me/results/70661530-0486-4c02-ade3-6fc849dc802a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a5704ad9bb211464dff882a76765384a2e4ed3cf7584a8ca38136304d6799cc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/449337/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample