MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
SHA3-384 hash: 7cda1673449aef10bd64de59370ad878e0ba516597cad71e46930cf79f943fa8d4809b94e8377ae2e5d3b838336e64b1
SHA1 hash: 96797ca3c714ccd723d231e630d93cc1d967012d
MD5 hash: cb2209284492ac6d35ffc9fe0b84d5b4
humanhash: oxygen-mockingbird-finch-eighteen
File name:noston.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:392'704 bytes
First seen:2025-03-19 10:28:51 UTC
Last seen:2025-03-19 11:29:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:V7WKHUBNHh4+n3CRXy1DxdGd7th0gH/woQXHPD5QrfBkd:hF0BtRnw7th0gHIoGHPDerZk
Threatray 6 similar samples on MalwareBazaar
TLSH T1FB846C650395DE47F09C37F85E6010423EF569A7DB22697482C0A8BEFA60ECD5E13E93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:exe FormBook github-novascoders

Intelligence

File Origin
# of uploads :
2
# of downloads :
436
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
noston.exe
Verdict:
Malicious activity
Analysis date:
2025-03-19 10:35:06 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/2a783e92-c09b-4ba7-892c-9b4fc924af4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.167320.14150.14380.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67daa3069388e75d078e8abb
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71629326-d7ae-437b-96e8-e3cf6b507fbd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1642818
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1642818 Sample: noston.exe Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 28 www.fhetechnology.xyz 2->28 30 www.dualhodl.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 noston.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Allocates memory in foreign processes 10->64 66 Injects a PE file into a foreign processes 10->66 13 RegAsm.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 Gedu54VhGqPsxHVnyu9p6.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 auditpol.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 Gedu54VhGqPsxHVnyu9p6.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.raplink.site 67.223.117.189, 49700, 49701, 49702 VIMRO-AS15189US United States 22->34 36 www.poopvid.store 103.224.182.242, 62399, 62400, 62401 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 10:29:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmrmtkj2dx7zwqngqgrfpf3t46lri3wo7ug5utcxj4syabg37cta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2050666c34009e372410eec0c7ceebe8021e6752c28b2087d1723cbac83a5bc3
Formbook
4d58596777616fe9fbb75aef8c3ef57688cb3bab97d8690c850b57a12a84ba5d
Formbook
7fef88169bcdcb30ca4d56c7233082a64dd7b972d8684785211b30750d8e6db5
Formbook
a9a61fc381ffd18cd3b1d58f7f0bde152bd2daa46bd928ab609c0073dbfe52dc
Formbook
ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
Formbook
cff59734917da3d8698da091f4291e6907a8bbe643fe7abbbc6428879529eb68
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250319-mjanmavwe1/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9265cb9-83c8-455c-84e8-17ad9fe989e5
Unpacked files
SH256 hash:
ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
MD5 hash:
cb2209284492ac6d35ffc9fe0b84d5b4
SHA1 hash:
96797ca3c714ccd723d231e630d93cc1d967012d
Link:
https://www.unpac.me/results/3da58140-90f6-4600-8dc6-2cb261021363/
SH256 hash:
ecb129cce94db8594bc69eda1ead471db15bdd784afc9a2e8adc56ef3bb71888
MD5 hash:
27c52e96a5804196921c61a1c22172ea
SHA1 hash:
45c12029ad318a8240e75305e89b61a06532c8af
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3da58140-90f6-4600-8dc6-2cb261021363/
Parent samples :
4ca6c67a91a4186d98691455cf74d78d5ea807a35671d0fe7f267d26d28a887e
d31208b71987d8cdbb8affc975333950516b6aa23951020fbd536fa27e1d1f0b
ea182b46e91f32537a6220caf8c6afab856db2a1f54ff078d2505fce84886317
5b72ed928f8a9e98082f9d22d1966a0bfea8222c51041311a6ab5b1339c8f95c
33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
5a4e470b3209d805f2c4f0707795907a5e5d2964d1ec35b9b42eb8e6d5dc9f82
02a3bd948e6463c2dc29482b77286aa13e7c76043a16fffd0b0ce05e53c1c68e
e7e58774286c3f86656f253e5b53bb32c02ba2cb5eff739bb40e4d8853bbc4de
ae82af7dac57877f2da402544bd5af774710be29e388637d8a6dcb8e2c198de5
e75ad8565d853b8a08df2e9b75f0df4fc8fe9b14a0fc3d796aeb3c8b6751436c
fa990d3b037070b8dd038651325ffb8ddd8fa709a74fb174cf423131939457db
4949207a1e4bf8bf1235e0b3edcdaaaafbc51edcf7dcf2cc81fdb1cae40c29d6
ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
2050666c34009e372410eec0c7ceebe8021e6752c28b2087d1723cbac83a5bc3
a545367132b0ec9df0538a1eea261d64a5c2c986b3d9ff09e2e11e0b3d21faba
SH256 hash:
132113a4eb7bbe0ca492849b002fbb2d208f2638cc9a3ad92a08de505fe4a61e
MD5 hash:
79a6d39ed6623375065377f1302f235f
SHA1 hash:
ee3533e2294e136a9e204e8c437fe7f4f285534e
Link:
https://www.unpac.me/results/3da58140-90f6-4600-8dc6-2cb261021363/
SH256 hash:
9f51e87c8b4837320c7c11fa431ca6cf23336a314ab12f51442ba9b23ee01f13
MD5 hash:
1c1547e778234480c94db4b54a4c4806
SHA1 hash:
a81d7141f89053f2096ef80ec5d5f1f1c15da77c
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3da58140-90f6-4600-8dc6-2cb261021363/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab22c9a93a1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments