MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64
SHA3-384 hash: fd99e25eaf9823dd4a32a6567fb1ba1e6cc05b75a4289a6d5ef3146ecdb5e8b97ef7fe445ae80468bf2164f9e4034e2d
SHA1 hash: aec01c9fdbb0849084efc6bb1e5a35578048ceaf
MD5 hash: 0ca6d486f879eba5d2cd0fa30417508f
humanhash: berlin-kentucky-lithium-robin
File name:hesaphareketi-01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:785'920 bytes
First seen:2023-10-05 09:31:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:78zS55mFzqyEqN8DRkyiww4fN+xzxpjH9kHWf4KSMxq7o1jRbOZe5PP2eFWg:7f55qZEqNYTfNkxsS0Vk1jJI8PP2eF7
Threatray 20 similar samples on MalwareBazaar
TLSH T1D7F4F1827236456EE9E80DB3EC25445416A32D6DA670FE8C5CAB729734F2771036EF0B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 301a5a5a5a5a5a58 (1 x AgentTesla, 1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.710.15045.12151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651e82949b16696e9f91dcc6/reports/ff5c4365-c501-4116-81b3-76ec3bbf345a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/feb859f6-2c36-4715-a178-669108ca81e8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320127
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320127 Sample: hesaphareketi-01.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected FormBook 2->32 34 4 other signatures 2->34 9 hesaphareketi-01.exe 4 2->9         started        process3 signatures4 38 Adds a directory exclusion to Windows Defender 9->38 40 Injects a PE file into a foreign processes 9->40 12 hesaphareketi-01.exe 9->12         started        15 powershell.exe 23 9->15         started        process5 signatures6 42 Maps a DLL or memory area into another process 12->42 44 Queues an APC in another process (thread injection) 12->44 17 BUnDFnQCSuHzbiMXKgfunSmf.exe 12->17 injected 19 conhost.exe 15->19         started        process7 process8 21 raserver.exe 17->21         started        signatures9 36 Maps a DLL or memory area into another process 21->36 24 explorer.exe 2 1 21->24 injected 26 BUnDFnQCSuHzbiMXKgfunSmf.exe 21->26 injected process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-10-04 04:40:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqipuotlpt6ihbnluykmvdynusp6nmgln4nzhhwa6acg5t4azjsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
6de402e896d0ecf6b4d55fe0ffc1b978e511a632a842e188200e5cb736893210
Formbook
703ecadd8d32ae22f4379b418bb1690ea42e4d38657bc4f5766ee20b8c154baf
Formbook
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
Formbook
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
Formbook
cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
Formbook
cecee88a7617e74a94da62a630b47509785f2d0dd45bae200fba376915eff317
Formbook
de99e6f0be1e9a5d12fa7d4fe82b34cfb6ba6b85cee18e4acec0d7f97593bcbf
Formbook
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231005-lhl5laca36/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
162a946816a425a6fbd720474232285b352bf83cb16c7a65edbd1bd281615168
MD5 hash:
c35fb6c6d0c832b80007e7d894d8aedf
SHA1 hash:
caf8f365a0015485e6c7f29fb2f57b0a312cee2a
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
SH256 hash:
e9cfda5e815e0cc4abd0bd1b033a456d99a7c12e6809a4cd90a6aa066269dcba
MD5 hash:
7e10d04f96e992dc2ac2c238033637bc
SHA1 hash:
0dcb97db75c11256f6f0f374e19fad6ddb4f65db
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
SH256 hash:
835bc1b722f777a12e967cdc2d0048758532378bbdc2621c7846bbdb9288b5fb
MD5 hash:
ad19bed95e241b38a134bdeea549c4b8
SHA1 hash:
be8f43b054bb659dca33866e62fe59a703877a68
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
SH256 hash:
ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64
MD5 hash:
0ca6d486f879eba5d2cd0fa30417508f
SHA1 hash:
aec01c9fdbb0849084efc6bb1e5a35578048ceaf
Link:
https://www.unpac.me/results/3c6bdcaa-8434-4739-8094-2c54d505aea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments