MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c
SHA3-384 hash: 3b4ff413bbbe508d9d190b9a48b43d7b6a13cfbb78a44d94f16cbd19d6aa53aa5e5470faed0264dfb96622a206b2d0bd
SHA1 hash: 6e20df1cea0fd2ad4a3149b7085becb5fa31f178
MD5 hash: c61c14e016aa835ade115c4e8463b20c
humanhash: california-music-freddie-princess
File name:c61c14e016aa835ade115c4e8463b20c
Download: download sample
Signature Formbook
Create hunting rule
File size:273'079 bytes
First seen:2023-04-26 20:49:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa68PxF+8OzEwYa/2CPFSjh9x2h316InaVE8tLs/W+EIjWRnNTq+5:vYapF+dP2C8tjAl6InaEy0WdkoNT35
Threatray 2'700 similar samples on MalwareBazaar
TLSH T19A441249B0F8C92FF90202758A7D79B66FE5DC134DE2628F23D06B547833652981EF62
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c61c14e016aa835ade115c4e8463b20c
Verdict:
Suspicious activity
Analysis date:
2023-04-26 20:50:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a203a40-fb16-43cc-a5a9-af4be0fa9b05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385113/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81571/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/64498e7c19db59e4586275ed/reports/c00517f8-7724-4516-b657-1802bdc18b5c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aba0091a-0542-4eae-983b-2d5861a8337b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1221845
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c/
Threat name:
Win32.Trojan.VecStealer
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 17:58:01 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3qzvp7hwjse2oct2twp7zlhxafzxmp63ypvgar35lhmcp5svrga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07a32665c106d4c5fab2625bda4d52f6c40b8137728f2ded016b90cad95a8545
Formbook
0bd096a462dd6ca8fd6563954bcb47167296672ce207e0a1b8b2407a796760a6
Formbook
628aa31e938f6407d365b1c833953f4d5b696c08c55b2b9905e2ab6dd724039b
Formbook
79ae6681fe6fdf1d7810a3bf37811b7c49f706ca0f4c04ab719633f924f727ad
Formbook
80de560dcd30d364bc855a7ec22607f884b9f9f4e8989e85c2d71377c399f1d8
Formbook
82bb5ca075a83da9c44b1a9214aa7590bf992d8206038b4f3edd6bd8230f966d
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
9123b739b8d3d1c2f5a3dabf8c358c77175422d0e83f5edadc7584bd50eb484c
Formbook
a3a3e10ea96961c3e5cc533be186a83f18fea89a5beb3074b04f4ee402c5f85f
Formbook
d341b6fe8642df50756dfc1fd18bf37e605718a7b6c2944d117b3a8bf13b4650
Formbook
+ 2'690 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230426-zmkn8abg73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
360559a039c9ebf904467afb5db7352ba5c33566fc7b551088c8117506611f49
MD5 hash:
59f94539ce0639a7cc84ad7861b8268b
SHA1 hash:
b918ef902bc566b91bc57b1421d8aacd8705db2d
Link:
https://www.unpac.me/results/8b4911b9-1a36-4e7b-aebf-5be72e199acc/
SH256 hash:
a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c
MD5 hash:
c61c14e016aa835ade115c4e8463b20c
SHA1 hash:
6e20df1cea0fd2ad4a3149b7085becb5fa31f178
Link:
https://www.unpac.me/results/8b4911b9-1a36-4e7b-aebf-5be72e199acc/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6e19abfe7b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a6e19abfe7b2644d3853d4ecffe567b80b9bb1fede1f53023beacec13fb2ac4c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/385113/
  
URLhaus
https://urlhaus.abuse.ch/url/2618953/

Comments


Avatar
zbet commented on 2023-04-26 20:49:45 UTC

url : hxxp://103.133.106.39/www/vbc.exe