MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a
SHA3-384 hash: f87067b93d0399dc2d23010b01a1c9ad024087a0933f783c025a6c5ea55d2ac2051e9b197eae27ef68db5f189dac382b
SHA1 hash: 467eb88366dd6778937cc682f2d0793bb8b8e4e2
MD5 hash: e10fec549c39c3274dcda749ec3a7119
humanhash: stream-blue-seven-beryllium
File name:SecuriteInfo.com.Win32.PWSX-gen.7437.3396
Download: download sample
Signature Formbook
Create hunting rule
File size:618'496 bytes
First seen:2023-09-20 11:40:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:of1Qxpw8pplE3iifF2iRRv7lAscevzlfgzvulAvheD1P/wOwJ:Vxpw8CF7l9c25gzvulAc1/Z0
Threatray 10 similar samples on MalwareBazaar
TLSH T161D423183AB48F5AD4F90BFC143414056B75CE4BF999E39A6CCAE8ED4B56B6182103CF
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 886443434b83cbe2 (17 x AgentTesla, 7 x Formbook, 4 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Outstanding Inv 6662.xls
Verdict:
Malicious activity
Analysis date:
2023-09-20 11:39:36 UTC
Tags:
opendir exploit cve-2017-11882 loader formbook xloader
Link:
https://app.any.run/tasks/b85ab154-6097-4194-ac11-e7f5ec917437

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450015/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7437.3396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
DNS request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650ada4f32ffdb7a7a0cfcc9/reports/3f605b1e-d0f8-4288-ad3e-8eba28cae7c9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1510790d-dbee-4ea7-84d8-4a3a8b867dc8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1311501
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 06:06:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4drt6kyr3pi2q4nec2utnh5imgjgy7ou7ouf2fblpt5fjjaev5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28375a1b1f2ea0e88846a60930ad76d4c68bd3f0545daebced5fb64fca085616
Formbook
2ae4e8a0670ccf4c27523323f5d40c994709abf7cd7336ba7c48ee50861430df
Formbook
2ba5d8e1c77dac550fd1b7d19174670a30da616780dbad4d386f6b9dc2121e9c
Formbook
51a15921691e898e879b022164f0cfd0cacdd2214116ac176dab7b9d124f8bc9
Formbook
66e9b5aad3bc2d59cdabefdfeecff99d0e60fd9d65ae7cd60d8a8db80adf48cc
Formbook
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
Formbook
7d0d45caa5fb24fef82b7ab932fcfa907db162db0e7e821d3adcc457f30764bd
Formbook
8132806c05668768f28af83ccb49438520dcb0ece18326db9698623152f35018
Formbook
845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21
Formbook
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230920-ntewrsaa94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
4d416cf6c8cb3cf4b854845a9157a6d1a3568afa5ff7dcd0ec647cf71d31d944
MD5 hash:
ae7d012392a207bcfce429ff3613e8cd
SHA1 hash:
a4dd7eeb7b0ba5fddfbe15c9fcc87e491a70692a
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
SH256 hash:
e0f755baad7ec9ba5ce3e17d71e5c04b6b3cd2082322c82ba56314d4b5013cb9
MD5 hash:
9a3abdfe4d7eae1aa1b7f0a8369522ee
SHA1 hash:
ad52b5bc44581712fca5163bded15e1a7cfaafe8
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
SH256 hash:
f9f3109495654f3f546aa88581b04d92c0480814dc8edc27c6e94f1ec5fd324a
MD5 hash:
9e42308e944d82bf56814fb2e029b0ee
SHA1 hash:
997a3afa387ac7f5b95132c503c251057244ff46
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
SH256 hash:
30ec0f7cc9adae9121e8bd4c6e71b7ad2fff46d0fbd8d0fff969dfdf6cac778c
MD5 hash:
ce7d3bccac24ade379cf26783021336b
SHA1 hash:
279a98251336a11b1620b9bc1ade072f65a6502b
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
SH256 hash:
61a4eba25269321c979a4c4780cb26e034f76b59da03a1fadd9a2fc8a1a4c51a
MD5 hash:
46a632138716fa224691a345130b6bcb
SHA1 hash:
20d3b6ad1e63a90c1f5754826043ecea28b5436b
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
SH256 hash:
b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a
MD5 hash:
e10fec549c39c3274dcda749ec3a7119
SHA1 hash:
467eb88366dd6778937cc682f2d0793bb8b8e4e2
Link:
https://www.unpac.me/results/23109a54-4cff-431a-82a0-d6a4f19f5dea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b70719f9588e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712652/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/450015/

Comments