MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1
SHA3-384 hash: 7be3917198c22892017280feae5fd51afa85dad83ede6427df0ad4925b44b9b7db2e2d47831dc5fd769fba9f472d454a
SHA1 hash: 50b7c5b76cf662d52896a79860a585cc18e8cc87
MD5 hash: 5e792b28f60d355d210294f26847089f
humanhash: apart-delta-diet-three
File name:rqualidadeADMAuditin.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:456'192 bytes
First seen:2023-05-10 18:05:28 UTC
Last seen:2023-05-11 18:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:I1XQakQK7FxbIBMPrIx2s627tbPdQDYn3DYj1A+I3Xn9zIPEjj1PmauqtHpp:uXQaYbBo2mBPdQDYzYj1fkndIPWT
Threatray 2'802 similar samples on MalwareBazaar
TLSH T137A4C18CA35B6449EB1EC7F7EB50F36527B36CAD29D18ACA01F73C6C2194A483F46611
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e482b2b2a2b470c0 (1 x Formbook)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rqualidadeADMAuditin.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 18:06:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0762bbc0-8b11-41f7-9961-50045739f83a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388256/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10388.22179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/645bdd0a4698ab2675290407/reports/626e0767-cf83-43f5-b2c3-6cb8dae43a73/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb957993-ac89-496d-a7a0-379abd8a3a17
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1230304
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 17:56:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdakiistwjugdc7whlddd7rqjriqctryxd63fyqbftnswsuymgyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
Formbook
3ab1320757d68dbf0e5eb5d31cf81247952c244bbfbda9466cd83d112efc2c72
Formbook
407cca2ad9433a2a222f9ab1ce14060bf6d5a5c041dc8d2b545257fd0be9e8b1
Formbook
615349f7344705307b2316dee1177a887390195e85d692069fb2c74def5a4ece
Formbook
6b2d71b9e5b1ed1d75d7eb03141735491c906c4e4dc6846bc1ef6e032507b1a5
Formbook
77194b668ce640225df0d876e991d58dc8c08e809474cd21abe5dc030857cb10
Formbook
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
Formbook
c14e90c00e4990b3c80a1ed015ad0bf6fdd7fb1d083b7b4d756b5cb74f6c7cd8
Formbook
ca36938bca50bc95f123c86a7c886b2da3add6b082b31146bbfae46ddccc473c
Formbook
caf42d835224609c61dcc1b6ddfcf517e47088e750ee67b16508c4fb2fdc5e6b
Formbook
+ 2'792 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230510-wpqfpshf69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
7a8bc89b25fec00df031363c72c82a461699b54c111c7799f4f946cbdcf1cdb4
MD5 hash:
f51cb0d9a7d65b2095fb22076258f0c8
SHA1 hash:
37623195a91c7d991ba31e83755962f697bfc0ec
Link:
https://www.unpac.me/results/18591bad-7b14-4e0a-9889-315ba3137b48/
SH256 hash:
42add6e29dbec50e34211d7009907cd0293ed305dfb6977f54a807c265998301
MD5 hash:
078c400cd633b821fcfef502d62858bf
SHA1 hash:
d6967f951cf9b93d1b64d47754279731bd5d6964
Link:
https://www.unpac.me/results/18591bad-7b14-4e0a-9889-315ba3137b48/
SH256 hash:
a440b5929848e6071f401a94fc1a040f14094bf7701b151ff409aeaa60e05f95
MD5 hash:
909be53831182d523ccea3c428d59c4f
SHA1 hash:
8f8f99a97544638bdfc02b5f8054f833f46eccaa
Link:
https://www.unpac.me/results/18591bad-7b14-4e0a-9889-315ba3137b48/
SH256 hash:
a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1
MD5 hash:
5e792b28f60d355d210294f26847089f
SHA1 hash:
50b7c5b76cf662d52896a79860a585cc18e8cc87
Link:
https://www.unpac.me/results/18591bad-7b14-4e0a-9889-315ba3137b48/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8c0a42253b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a8c0a42253b268618bf63ac631fe304c51014e38b8fdb2e2012cdb2b4a9861b1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388256/

Comments