MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
SHA3-384 hash: f74a45e7ad8118c0cac336d6fe567778c258fa7ba8d7a9adff7a3a97dfa355ada0a988dc79019bcbd1232b6c59c00144
SHA1 hash: 124cfe4d180ccfcac35b2f9ef4ae2afa6195b96d
MD5 hash: ff3e862dfe7ffb8c126ad4346155b8f8
humanhash: equal-alabama-princess-lake
File name:RECEIPT-CARGO 00009933CRER3S.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:698'880 bytes
First seen:2024-05-27 11:22:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:B7VrqrYCFd6xRDBA8GtUXsWbxSYY7ssAaUJgss2jE6Yb+YHYiGshIkZouITiZM6:G81xRDtIIsiSNZIsSxOHLRIkZJlZM6
TLSH T18BE41218321C80BBC0BA42F5255A0941A3B19E8274D3E7CA3FD2B2F957F7F958A1558F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 205cb064d8d4d408 (10 x Formbook, 4 x AgentTesla, 2 x Loki)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3.exe
Verdict:
Malicious activity
Analysis date:
2024-05-27 11:25:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/944f6389-1601-4eb3-808c-0499f4dae8de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66546d3002ef56c532bc51a4win7simulatehigh_evasion
Tags:
Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66546d1d32eca5b280fff0a8/reports/5d80600d-5911-464d-8a01-715d9859bfb2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88b8f810-e053-4925-8798-a66390aa0e45
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447986
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447986 Sample: RECEIPT-CARGO 00009933CRER3S.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 28 www.d99qtpkvavjj.xyz 2->28 30 www.kohfour.com 2->30 32 5 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 8 other signatures 2->50 10 RECEIPT-CARGO 00009933CRER3S.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Injects a PE file into a foreign processes 10->62 13 RECEIPT-CARGO 00009933CRER3S.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 erHLmGXfIYt.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 raserver.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 erHLmGXfIYt.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kohfour.com 216.40.34.41, 49753, 80 TUCOWSCA Canada 22->34 36 www.fruitique.co.uk 212.227.172.253, 49756, 49757, 49758 ONEANDONE-ASBrauerstrasse48DE Germany 22->36 38 2 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 02:38:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzzjgvjgddqykai6vzgft5sacm5fijnxf76likgm76pmuukhy7bq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240527-ng5lnahe9v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5441061a-5a84-4590-9f3c-52c795cd7ddf
Unpacked files
SH256 hash:
2770d64ba970a95b919e98dd0402c9863edba74c92f39095bd1c6d859f9818fb
MD5 hash:
10f06cba25a5cf29e0cd8a4302be3546
SHA1 hash:
8f7a56a7b49e9ecb9c70314124aa55d8696ad7a2
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
Parent samples :
75f1e56e5e512b3271f6d885e5f316de1572c79b0a3639ec8392d44748635893
ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
SH256 hash:
2d2988efe051d2662cfb6ea4cc4f5c00da70895ce183aa655ff74e7cf5e2df9d
MD5 hash:
5c011c095efebec446498caf4a1eca6d
SHA1 hash:
71666dfff5e4d5ef458b22d85dd9ea5d60eb8f5e
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
37e24c8f15819fe8a0fd63aa532c737fa35ccf3412acad38ec1b29b1233144b8
MD5 hash:
4ff5cc0c2eaddc549f58484c0153f9f1
SHA1 hash:
6f829db47d757248e214e90f187da21e00d415df
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
39a6dadfe84b2b0cc5f71e3308138da9ceddecb08456d69e98ca517e3f42462a
MD5 hash:
ebf4e735e0eb9ac1fd99226a3c22bc21
SHA1 hash:
336f21ae2e0c3e9702e97f584f007298105d0734
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
32c209f2a6369f5bd203a36263a9c243947f0e61da9ef0de068ad1117a9108f0
MD5 hash:
8d1fa59e56a1e6a12aa52f40c4890050
SHA1 hash:
2064eb9d04cb6ca22390df04ec7c214a5642b3ae
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
809e1feec30ab0ef939f292960a145a2c956d11dfdd252bc505d88f572e1b289
MD5 hash:
5a9996debe9d6dd48ee81e317899b8b3
SHA1 hash:
eff8d366532dd8492e884c6f0aeabbf7dafcafe1
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
0139d5d46c672450fb9b1b704daf865ae4fafc787a9b531296024ec42849e447
MD5 hash:
ce21178b54dfa5369dd2fb384387af9b
SHA1 hash:
c3d7b8249256aebc5004af9ac084e3de7c4896b2
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
a2e6e99688781107b5afd3f65eb7abd9871140f62289c269ce5da3033d97a0a0
MD5 hash:
1ff9f21e57388dca73c10acf170a0715
SHA1 hash:
9739e27a8bffa9050f63081842fcc67dc9a94bb0
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
13b24a7419dc4ddf05994b6971855cbff383bdbf40e18c7f4540c660703b2c96
MD5 hash:
9f335428f2faf130b12850ddd87cb3c4
SHA1 hash:
6c1197819c2e6d1dea94c69b535f2142324a6fc8
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
9c7633ca1b91d3ebf03860f19e11f0f66063842c861549e3751ef1d970f94b71
MD5 hash:
1accacf42223595ab2c2878f56723fa8
SHA1 hash:
2a26869b2cd9ba8aa5454870989e4dd8c7a8cf39
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
812f5f2a39493a22d352ab060ed3a3aba84bc74123adf5b0d73194793713318f
MD5 hash:
f4ecf53b23bda718fd6104198b0b3fe0
SHA1 hash:
0e4dac28518ff5006c24cdedd170e215a2beaa68
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
SH256 hash:
ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3
MD5 hash:
ff3e862dfe7ffb8c126ad4346155b8f8
SHA1 hash:
124cfe4d180ccfcac35b2f9ef4ae2afa6195b96d
Link:
https://www.unpac.me/results/cfa446e7-83a5-46af-9b33-f432d4b5823c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae7293552618/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ae7293552618e185011eae4c59f640133a5425b72ffcb428ccff9eca5147c7c3

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments