MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
SHA3-384 hash: e4b623427e98610e2ba97387d31fa5911313a0894dd223416615db2f2bd5cdcf707bd4c28d42728d2dd5d57cf27a0e4b
SHA1 hash: 07f11653d6f52ba401dbb1966081405a7bc4ade3
MD5 hash: 70ba285739cca49de3c60779e2d3b8c8
humanhash: fix-hot-pizza-emma
File name:70ba285739cca49de3c60779e2d3b8c8.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:672'256 bytes
First seen:2023-04-28 11:09:12 UTC
Last seen:2023-05-13 22:44:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:LEqv1BoMErC3OOyV/F53/tqzgRZxc85ta1OPCbN8I5RBKhwegQVtN:LEq9VgC+Z5VwgRY835PPgRBwd
Threatray 2'773 similar samples on MalwareBazaar
TLSH T130E4AD535065CD0FFE6ADBB085B4FF55A6F1F07324E194242BB921CACAA9F011E8C52E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70ba285739cca49de3c60779e2d3b8c8.exe
Verdict:
No threats detected
Analysis date:
2023-04-28 11:19:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be77f930-8215-4ac3-804e-afb0157f7d5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385440/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644ba98e961a21dc785bcb3a/reports/dd805c89-d156-4df5-962a-b55257e5cc2f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fad360e-33c2-4aaa-b5ca-07db53ac646f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1222757
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 855712 Sample: VXki2g7eeT.exe Startdate: 28/04/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 6 other signatures 2->42 10 VXki2g7eeT.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\VXki2g7eeT.exe.log, ASCII 10->30 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 VXki2g7eeT.exe 10->14         started        17 VXki2g7eeT.exe 10->17         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 19 explorer.exe 1 1 14->19 injected process8 dnsIp9 32 www.cascadesoundscapes.com 74.208.236.252, 49706, 80 ONEANDONE-ASBrauerstrasse48DE United States 19->32 34 www.amtasguopmn.buzz 104.21.83.109, 49707, 80 CLOUDFLARENETUS United States 19->34 44 System process connects to network (likely due to code injection or exploit) 19->44 23 systray.exe 19->23         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 23->46 48 Maps a DLL or memory area into another process 23->48 50 Tries to detect virtualization through RDTSC time measurements 23->50 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 11:10:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbosvjs6lnows5u767oruy7jbxu3274wu5x2s3cscn2ypnr5cala._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face
Formbook
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
Formbook
455357f9a8164dcc16dc461cb81c48bf0215d871152c7b6e1577944a4b6b6edf
Formbook
7f0a83fb59c743687b2076967768f0cea1a7772390d25bcd25ebee31caeaaa8f
Formbook
896d0711b287b0914d88b93ff8d06623c60f45b405e12cbc34a406e09942a577
Formbook
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
Formbook
cbdac32d6f43a1f03a26cc2fcc6ea13586f0d7f85764c1626cc71ce30bc0434b
Formbook
e014baadd84bece77f1f8366ea528671bf0bd70fcee974fe1a262bb0ec0a2565
Formbook
e7c2b8fd0f30db376c2c5d18f6bdac1ee47c07c8201f70fda8c52d135d8a1b93
Formbook
f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e
Formbook
+ 2'763 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:tf6p rat spyware stealer trojan
Link:
https://tria.ge/reports/230428-m9qsjade85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
d92b34a7904f5d2c8c8b89d47b9e47fa3c82bf568c23130955129cd1e42d9981
MD5 hash:
37e4aa5e53ed3db3fb96b91861d890d1
SHA1 hash:
eb87e7ecff730848bd6397d7dcac6669795e69b2
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
Parent samples :
f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e
e7c2b8fd0f30db376c2c5d18f6bdac1ee47c07c8201f70fda8c52d135d8a1b93
a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
030c152d386b5849508a740eecad662de4e716ad593eb95863c93bb9be046a62
908518191aecf6570fc10b1d299d64b2ac02f250fe17198a2407a9e12ddfcd30
9b72403d8d0663158210961631adbc2b5574b89c249804edef87de56ab36c9b9
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
SH256 hash:
8a92b687f390146f4f5e6472dbbda982786c5bf34732d1cb3366c383a73fb1fd
MD5 hash:
57ba1e148ba7bea56c875d969dd58636
SHA1 hash:
acead993d0597d510f4194bacd632e56997a7a32
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
SH256 hash:
fbd4729cb51f4869bdbe91bf734dff441e3a352c44621e6ce3cf2907334db5d5
MD5 hash:
df3cd818d9dc3d83cf5525f0f4f0d598
SHA1 hash:
2d1af5efffa39bac97116a4ec0f71757db87c7e0
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
SH256 hash:
a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
MD5 hash:
70ba285739cca49de3c60779e2d3b8c8
SHA1 hash:
07f11653d6f52ba401dbb1966081405a7bc4ade3
Link:
https://www.unpac.me/results/f4fdb698-1064-49e9-938e-cc2992f8b34c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a85d2aa65e5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/385440/
  
URLhaus
https://urlhaus.abuse.ch/url/2614335/
  
Delivery method
Distributed via web download

Comments