MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4
SHA3-384 hash: 1a744b3c775a44de01d215b02cc944374c5177ac00b47e169d07cb102d408da8871a9e60e996941d0e741f9663cbf01a
SHA1 hash: 4c58686e6a9f1b059272955645629f64bb16e54e
MD5 hash: 330fc46a62c79ca56591c7b8fb90eeae
humanhash: lion-speaker-fruit-potato
File name:SecuriteInfo.com.Trojan.PackedNET.2627.16375.12042
Download: download sample
Signature Formbook
Create hunting rule
File size:800'768 bytes
First seen:2024-01-15 14:22:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:e1Qm+ZfocmW6Y1MN62qZaSjVO3PEFwRHTK5mWCKag9x3XRJKryqcopeGFzOOH0m:eMmWfSUZaItOGMaRJK0ok+E
Threatray 481 similar samples on MalwareBazaar
TLSH T16F05122033F85B7BD9B94BFD5231A41023B57B0A2117E75D9E8314CD2D21B828B5A7BB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470933/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.2627.16375.12042.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a53fc759502c0e7b377722/reports/b728d8a2-1dd8-465c-a147-bc8cdfe6269d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d19653b3-dd12-4517-b9c2-48552f7591b8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1374800
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 14:23:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=why7obc3sqqspa4vlqmeansewh3cjg3mtce4vl5sa22il27qzdsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
144eea27473695352b1dca78911d83a4752c720b571cbe901c74821734736778
Formbook
3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
Formbook
4a34fe65ddd4931b016c6cdc7aee772f7184258c34ddbe04e71d374c7efddf04
Formbook
52314c509cc39d57832c2efc2782ac7fc74448e56a2771989d877d4f9f6adc85
Formbook
5e2e2b3309ec8c4305d437cd8d545841e15679f664c62f8c1be1fe8733d5d292
Formbook
94a65cca7423e32a923dcc0aad65712c9048d5c79d51162237ebd24a8d99f961
Formbook
afd7592da43e21b2731f1fd0e3c11b95e5d87ce3ef2967240089331c7bb367d6
Formbook
b102e9f6cffee4bc6d2cfdf337ecac759fd161b38fc666096d53bd31d887992d
Formbook
b3a50f27f037fc524303604335c490550752f7eb426553a73b12b8ada3d2f892
Formbook
b937e279fde4541f11647041a467d331dfc78562d9e267a7eab970d62dd017f5
Formbook
+ 471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240115-rp47msacg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
643b8393660afa372c1d3dc6c8467735987ad91a15817fdb9af59d2fd7721cd3
MD5 hash:
938d876f8497b5cd8ba4e60b3c1fda41
SHA1 hash:
57d4365ed77176b99f98700eed9a16a3bc891305
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
SH256 hash:
c2fc5150baff014bc6b8258971022b7b6f502e195a93d795803e2dc4411fd30a
MD5 hash:
e3e72476df07ee34fba6d4ba6f8d0bd4
SHA1 hash:
bca7c6e78084d699d47717bef3268d03f69e414e
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
SH256 hash:
1bf4b72239d077efaf34ff2a8102c3c3f98685b3876dac73956c17c753d4bb81
MD5 hash:
bf2d2e955fc51ca5dba31b5886f66ccc
SHA1 hash:
ffa6d55e5ea1ad15407394b706dbcad2ab765ee9
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
SH256 hash:
adab02f912fe1cf863e969bd6cbb9910be29ac35970bcf8e90c81124814e7618
MD5 hash:
030b622e597a265289e2231281d10ef9
SHA1 hash:
6c65db88f146a7335cde244bd8705bf3f4036e65
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
SH256 hash:
21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818
MD5 hash:
440bb4db146ccb1161ac2bcf365d7676
SHA1 hash:
506eda511b46df6e95d86861e70fda81307f8623
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
SH256 hash:
b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4
MD5 hash:
330fc46a62c79ca56591c7b8fb90eeae
SHA1 hash:
4c58686e6a9f1b059272955645629f64bb16e54e
Link:
https://www.unpac.me/results/ebf93db5-3f80-41a0-9907-d8e77ce97098/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1f1f7045b94/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1f1f7045b94212783955c18403644b1f6249b6c9889caafb206b485ebf0c8e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470933/

Comments