MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
SHA3-384 hash: 828fc436845d167443e80558daa06bdec1629ba40fe4d2910016fdddc6c92bfdfccdf05415e1cdbf61949f5e64a826ae
SHA1 hash: 62d66469bf21d2f503256dbca4c2d7d87c81752d
MD5 hash: 7b58ac884c4d2310ccb671c500080034
humanhash: october-winner-april-edward
File name:b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
Download: download sample
Signature Formbook
Create hunting rule
File size:169'472 bytes
First seen:2024-09-09 12:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 96:U+l5bStu9kLs8U7UPkPdtge5+j+MrrctJjUn4XvlJcB7zNt:nzbus8U7s8die5eCrjUn4XvlJOd
Threatray 4'547 similar samples on MalwareBazaar
TLSH T1D9F3A415B3C08AB7D9A206779C63D7430338EE5189538F9F3ACC370B2DB63681A91B95
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
Verdict:
Suspicious activity
Analysis date:
2024-09-09 12:33:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc4448ab-c5bb-48b2-a756-8ac1cc26624c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16154.20793.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66deea8aee4e81557817183e
Tags:
Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66deea8c8bdeb2969e1a7444/reports/c3d20a40-f5f9-446e-850f-557add554cca/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1ee7b4c2-1eeb-441d-af1c-2665b3b7f177
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1507943
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507943 Sample: wo0QLwJCbQ.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 33 s20.filetransfer.io 2->33 35 filetransfer.io 2->35 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 9 wo0QLwJCbQ.exe 16 4 2->9         started        14 Ydwlswnk.exe 2 2->14         started        signatures3 process4 dnsIp5 37 filetransfer.io 188.114.96.3, 443, 49704, 49714 CLOUDFLARENETUS European Union 9->37 39 s20.filetransfer.io 188.114.97.3, 443, 49705, 49715 CLOUDFLARENETUS European Union 9->39 29 C:\Users\user\AppData\Roaming\Ydwlswnk.exe, PE32 9->29 dropped 31 C:\Users\...\Ydwlswnk.exe:Zone.Identifier, ASCII 9->31 dropped 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->63 65 Injects a PE file into a foreign processes 9->65 16 wo0QLwJCbQ.exe 9->16         started        19 Ydwlswnk.exe 14->19         started        file6 signatures7 process8 signatures9 41 Maps a DLL or memory area into another process 16->41 21 Ydwlswnk.exe 14 2 16->21         started        process10 signatures11 51 Antivirus detection for dropped file 21->51 53 Multi AV Scanner detection for dropped file 21->53 55 Early bird code injection technique detected 21->55 57 2 other signatures 21->57 24 mountvol.exe 21->24         started        27 Ydwlswnk.exe 21->27         started        process12 signatures13 59 Maps a DLL or memory area into another process 24->59 61 Queues an APC in another process (thread injection) 24->61
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2024-08-29 08:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnwmpxdhqylzg2nyizowfxmnbyifyvfy7oteboskrxtoxvx4i6oq._file
Verdict:
malicious
Similar samples:
1414bfb2b3482eab9cb58ea07b49a3d6eb432996308fc6798b6d6a69f096a9c1
Formbook
5c415a3f7d2dfc912447dfde68e67c6b90cc0fd07011f8bd062390ad72111609
Formbook
b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
Formbook
c241b7dcd7b17a18f64f830101aecc1269987ab3500c4277c72b90d5a65f1de8
Formbook
cd14430d51d6e17630e51a350f68135f9f50b3b36d98d66946ad8ea6f0e9f0fe
Formbook
d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802
Formbook
+ 4'537 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240909-pp2qeazfna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9b945a3-0386-4b3d-b3c8-afa8e6b80c6c
Unpacked files
SH256 hash:
b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d
MD5 hash:
7b58ac884c4d2310ccb671c500080034
SHA1 hash:
62d66469bf21d2f503256dbca4c2d7d87c81752d
Link:
https://www.unpac.me/results/153a26c8-07a9-4547-aca3-0835df3f6d08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b36cc7dc6786179369b8465d62dd8d0e105c54b8fba640ba4a8de6ebd6fc479d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments