MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444
SHA3-384 hash:	a269a15653ce61e0ac2c0535c6f4d99c2e07b6212038a01b11bcfe2ba5d603f5c382e444ce1752694a7ce3b399f1d985
SHA1 hash:	2b554688a8b7c8fb3aeaf80fe29afdbdd2f0525d
MD5 hash:	836a64a336ec4dc06ef7368b4c4bfcbf
humanhash:	johnny-magazine-steak-mango
File name:	ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444
Download:	download sample
Signature	Formbook Create hunting rule
File size:	645'632 bytes
First seen:	2023-10-16 08:08:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:EvofAf6+vHw5DO6AkjvOSf85bzSMKKFOAMXjMAh6hKuxkQ2MFuU:EvofUHcO5sOSfybzMKrM4hhKuxd
Threatray	70 similar samples on MalwareBazaar
TLSH	T181D41241B27E375BE8B687F1A541B5020BB0953724B6E3015DEEB0EB68A5B001BD7F17
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	pmmkowalczyk1111
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444

Verdict:

No threats detected

Analysis date:

2023-10-16 08:09:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/73cc5425-66b2-4a7a-8b2d-8ee867ccdbe2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454738/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/652cef9f5da218a42f50fb58/reports/b23f658a-93a6-4094-ae1c-7b6456652d6f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52eedb6d-c251-43b7-93f3-9c546636e0a4

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1326263

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-12 13:12:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 22 (68.18%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmq2h5wvyhdgmdbsritupimlqff2xv4bjeccsbxbojpvakoxurca._file

Verdict:

malicious

Label(s):

formbook

Formbook

988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

Formbook

a915e631517c5b9eadd5062e2c12d33521950a2650d56e69f60ed0d783f35345

Formbook

ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64

Formbook

ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140

Formbook

c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910

Formbook

ca3518a92dca2cb626a8caeb89bff0d9cfd240d7cd06d1cdf9973a746b4f699d

Formbook

ea2adbcb61a20497bc442d31600336a93659f5b38ee367fa83c0a996b0912e83

Formbook

+ 60 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231016-j1421scg3x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

c941a534f960bd544c61d9f3c13ac12a678de6698871d254bf0110ccb8efe259

MD5 hash:

5121ce19f29de71067d1083d7073eb7e

SHA1 hash:

1a3701d6e38c21ea741b417fbf8410c4a0fc6437

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

SH256 hash:

14bb209b285279dab6ec2ec5b36dca3286fde25f887c5b7c2d250296ea1294ba

MD5 hash:

b0172cb5587e2323940dd50f7b8e160f

SHA1 hash:

630f9a2f75385c31819c26b625720ed0b07f2226

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

SH256 hash:

de8025b530a89ce43bfd98b86ecbda05c159e5d73cd7cdf4258e4e16ce7074c8

MD5 hash:

16fc7c81ba5477662f8fbfbda2c1d927

SHA1 hash:

e43612a55ce3528de375b634493dc6c3b1e829d7

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

SH256 hash:

ffabc13f7fad5bea21ab9b04b5c04700394db8ec812f01af098dfbd213b0cded

MD5 hash:

bb95d7e54d7271723c25cf89f5bc63fc

SHA1 hash:

c00a879d8c2bf1d1600387eee96b70f53fa53a39

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

SH256 hash:

ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444

MD5 hash:

836a64a336ec4dc06ef7368b4c4bfcbf

SHA1 hash:

2b554688a8b7c8fb3aeaf80fe29afdbdd2f0525d

Link:

https://www.unpac.me/results/76a77732-cd5f-4dfc-88f6-8db575abc771/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/ab21a3f6d5c1c6660c328a2747a18b814babd78149042906e1725f5029d7a444

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/454738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample