MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf
SHA3-384 hash: c6e9c5248d1cbfbc9bbaa7564956b81c8c9775154a4b2726282c6af06e0096c28b80d4b86af9f4679f916b90e8ec1b57
SHA1 hash: 188dea1e06e75391cc42fafe84e16396cafae2c9
MD5 hash: 48353808819cf7a6d4557da32df96924
humanhash: coffee-tennis-lactose-winter
File name:SSCTEC9201.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:762'880 bytes
First seen:2023-05-02 12:15:44 UTC
Last seen:2023-05-13 22:57:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:jBdwsj8LCTdPo7wQbVhc6DTmp2OKlsThMsL9fkFnS:fdj8Lai7/vRDTmYHIMzNS
Threatray 2'791 similar samples on MalwareBazaar
TLSH T186F4CF42A419C899FC18D730D435FEF052A6BCB7E4F0552B2AFA3D5BFABB601090855B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SSCTEC9201.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 12:18:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6188550b-5c7a-4ccc-b9ca-355b550cba90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386115/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6450ff06463eacbc57db7341/reports/2b7529a2-e460-44a9-bb3d-3287a5bb0bb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/18b709d4-09e5-4e1b-b1e4-50096ab7292f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224664
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 857648 Sample: SSCTEC9201.exe Startdate: 02/05/2023 Architecture: WINDOWS Score: 100 31 www.sedrik-osvald.online 2->31 33 sedrik-osvald.online 2->33 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 10 other signatures 2->47 11 SSCTEC9201.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\SSCTEC9201.exe.log, CSV 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 SSCTEC9201.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 3 6 15->18 injected process9 dnsIp10 35 sedrik-osvald.online 81.2.196.19, 49699, 80 INTERNET-CZKtis238403KtisCZ Czech Republic 18->35 37 www.biabettv76.com 104.21.51.201, 49701, 80 CLOUDFLARENETUS United States 18->37 39 2 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 06:57:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxrvoxrfhlticeqd4awuf7nhdcswkw5ozfkf7a445nchhzo6go7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
Formbook
10e1fd083fbaa700f1580863bc6bdc928fff23f2edc479c6a8d4e3d7ff57926c
Formbook
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
Formbook
7d05369e7f8c3f1ae6e8e52d34c33707768c9d50c7cc688198f1e72bfebd2599
Formbook
896d0711b287b0914d88b93ff8d06623c60f45b405e12cbc34a406e09942a577
Formbook
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
Formbook
a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
Formbook
e014baadd84bece77f1f8366ea528671bf0bd70fcee974fe1a262bb0ec0a2565
Formbook
f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e
Formbook
fba7e337e71bc76897190387a7cea0b3cd205fd03a822420f38c8d1f595693e0
Formbook
+ 2'781 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m2x5 rat spyware stealer trojan
Link:
https://tria.ge/reports/230502-pff3cach3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
b42544eef6f69b993dce47e07385ca09ff261b1a34d00494de360fcaa7f0bcdf
MD5 hash:
d4a2cb3114662cd22e4d1fee72879ec7
SHA1 hash:
5d420d8d2f06b4a6099fb15c806433d5f87ca10b
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
Parent samples :
dfb043181104c761880453807f8f14d992051e386561621280452e47d1895936
5729bc42c6e1c14c8b3037c66c1ce01a44c99ee234d8563b1ce61c2450cfe76c
1e4430039a9fee3f5b6c7defdde6580333a457e0840ee64a775efb32bae1deec
b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf
SH256 hash:
9db416abf3282501ea8106060bf94b58fd474c5c8be9f639afc053436a2edfd3
MD5 hash:
e6c89d07a9282d5a7fecce755b80fcbb
SHA1 hash:
eac49141a77d5292a751174c8430092781646805
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
SH256 hash:
ccd40bb99b8bfce991fa7a1c14b601da53d7edff010490b9dc8dd030ecaae1a5
MD5 hash:
0f8a7d4a8f8bc43cb0fda4f56fa3a70d
SHA1 hash:
cdbaeff5a7dda87509dc9a0f31829704aeb197e4
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
SH256 hash:
0d34bbd8f1b13cadcbf158e777980061b6795fd81accd29825205aba00c01cd2
MD5 hash:
a5b325809c4a8fe7c12c56d45e74d8a8
SHA1 hash:
9f77583865f6f4d1467fa2e982be8c6a35723c6c
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
SH256 hash:
b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf
MD5 hash:
48353808819cf7a6d4557da32df96924
SHA1 hash:
188dea1e06e75391cc42fafe84e16396cafae2c9
Link:
https://www.unpac.me/results/8219b386-9b38-44a1-abe2-27e83ba5091c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5e3575e253a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386115/

Comments