MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 16
| SHA256 hash: | af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953 |
|---|---|
| SHA3-384 hash: | 8f25399760adcd530243187ac54494bfa6c85fceea09ec79e287d9b657b58a1936a41d5763d5017c99b29c1d9e8b71d8 |
| SHA1 hash: | 49c5e9d3380de7789ceb57bd3245aa33c8fbc76d |
| MD5 hash: | b317a85b3c4fec3a0a888613a91de41c |
| humanhash: | zebra-salami-chicken-louisiana |
| File name: | SecuriteInfo.com.Win32.PWSX-gen.20635.18928 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 603'648 bytes |
| First seen: | 2024-01-23 04:22:43 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger) |
| ssdeep | 12288:vujLBJI3RLSrG8UUShhjIY20NyrfPQhqRvdWMkmyowTAtdiKxc9:mjrucG89ShqwyrfUOvdWMkPRAtdJ0 |
| Threatray | 2'648 similar samples on MalwareBazaar |
| TLSH | T1BFD42326B7987363D81807B409962261673068D2D63BE18FDD52A2C94BB5F005FB9FF3 |
| TrID | 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 24cccaaacc99d264 (13 x AgentTesla, 8 x Formbook, 1 x SnakeKeylogger) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
407
Origin country :
FRVendor Threat Intelligence
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2024-01-23 04:23:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 2'638 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:de74 rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
07e466aba512cbdb6587232f06e44dee34d7b41d83f93377abdace1dc27fd61a
MD5 hash:
3eeab3a9785f0369037c91cb2d66f069
SHA1 hash:
66df0a549dd358b89d8d1755af8439fe29d33cc1
Detections:
FormBook
win_formbook_w0
win_formbook_auto
win_formbook_g0
Formbook
SH256 hash:
292a0518841e86949acf831703623779d63591cc95ebc4030d00da3b72066c77
MD5 hash:
4d697347eedf1d51cc5fcf7a066621f1
SHA1 hash:
bb9398d6d9f9ff3c74aadee7cdac6e04fab4770d
SH256 hash:
93758d09b929aaa430c37a0bb285006156ebc8538dc6710d051eaa39269cfce8
MD5 hash:
ce01570b7cf7433cd0316285c987b241
SHA1 hash:
651d9a9db17b170c5a60d7ae21f76b385ec53488
SH256 hash:
853f530579b4aa0d5f36b83fb15310d1165c59906bc8dda245b686c26a2fe574
MD5 hash:
6dcd36e908965b3a3c4ab333fcbb6f4a
SHA1 hash:
2d4f917ce319c586cc77c54ee2c80616c5467d32
Detections:
Saudi_Phish_Trojan
INDICATOR_EXE_Packed_SmartAssembly
Parent samples :
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
SH256 hash:
49f12025017c6a5aec4d4b5c661048b49e05635297a55aba88e28b8ca74ef0ce
MD5 hash:
66cb5e8d0fd00d3f69cc260ce48dec0c
SHA1 hash:
11fb2d2634ad099a38a9814b52b5e2778e7c9e89
SH256 hash:
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
MD5 hash:
b317a85b3c4fec3a0a888613a91de41c
SHA1 hash:
49c5e9d3380de7789ceb57bd3245aa33c8fbc76d
Malware family:
FormBook
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Formbook |
|---|---|
| Author: | kevoreilly |
| Description: | Formbook Payload |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Windows_Trojan_Formbook |
|---|---|
| Author: | @malgamy12 |
| Rule name: | Windows_Trojan_Formbook_1112e116 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_formbook_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.formbook. |
| Rule name: | win_formbook_w0 |
|---|---|
| Author: | @malgamy12 |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.