MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
SHA3-384 hash: c6dbefe6a71a2b6ee99d8ba26b10f6013af98d7ee76f783ed68f1e82a9d9aeb7baeda771bdf8f91977e63b844ed6296e
SHA1 hash: d01980bb61f6c88f9daaaa635b9ebd4221d663ba
MD5 hash: 7ca8644f83cce4c44c80ca63cc2a1df0
humanhash: cola-angel-happy-ink
File name:SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.19632.2421
Download: download sample
Signature Formbook
Create hunting rule
File size:676'864 bytes
First seen:2023-01-17 12:59:40 UTC
Last seen:2023-01-17 13:32:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:hdnu0b+NoexY/vAV4nI1ezI7kGzrb1yNAsTGMLiozj3Pj5lK8LTl:hd3+NNx84xesNrb1yrHHF08LTl
TLSH T158E48C42567B83E2C4B90EB0143CA81836A15CD18B6CB13EBD477DBE9CE675F14A9B13
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.19632.2421
Verdict:
Suspicious activity
Analysis date:
2023-01-17 13:02:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b71417d-ecf1-43c2-b39e-ea7cff0dd7b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353778/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.19632.2421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c69bd5c4dab251690ea729/reports/2968aa2b-51aa-4976-932b-dc0a4eff6879/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b48ec760-84e4-4daf-858a-7c314109a991
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1153054
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 10:11:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2oq6vtytjwmjygrferlmvjl6532tjmca36fybrzvmrn3buiayaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230117-p8nb5agb67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3
MD5 hash:
b23ff9e28cdfc56d60a68f42b346fc05
SHA1 hash:
e4eb037c7732ab9b73d59b66274816ae605dc3ee
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
Parent samples :
9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176
SH256 hash:
0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1
MD5 hash:
dac31c8bc4e4a583f6571778e0cf57e9
SHA1 hash:
1a104ea41ecf0459fb8f5878182b5b1e48c4897d
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
SH256 hash:
4d6a597c5e6a0661115f03378ac70ff631e9d7751a5bfc660743bc55d4cc9fe3
MD5 hash:
6d26e0d6d9674a2cc960a973be6b438c
SHA1 hash:
40713b24b93d248c35dc7bfb69a56c5e4e7f144e
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
SH256 hash:
fa3fde5e49855b561eb40bad9539a89d4f922f9ae528a1c6c3c023c97b62b351
MD5 hash:
3c4786735f78cefe6bbe4495c6b426fb
SHA1 hash:
045306824e4a66c698218670e2b32539d1b89327
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
SH256 hash:
fe3f595e59ac44bb25b344ba911d473b3e39b4b616baeede85f2bfc0a061fc12
MD5 hash:
c66cea2530cc078d07a3ac1d17b2bf87
SHA1 hash:
034c492db206ef2a4aaaa14460d19c3ba2f112ee
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
SH256 hash:
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
MD5 hash:
7ca8644f83cce4c44c80ca63cc2a1df0
SHA1 hash:
d01980bb61f6c88f9daaaa635b9ebd4221d663ba
Link:
https://www.unpac.me/results/d8b1ced2-ca16-44b6-a164-97bc2ee487b0/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a69d0f56789a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353778/

Comments