MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f
SHA3-384 hash: 73aba53e738d603735f1c752cc61186755bfcdd2cae01262fa297a5582f2482c8a1971c17ca253adb06f0736a8ed2637
SHA1 hash: aacf3513329bcdb2b31661e2f90a11a7d8dcff49
MD5 hash: ff3dbf88b99f9e06e0cb8be49a1aae62
humanhash: robin-cola-potato-happy
File name:RFQ#o52824.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:698'880 bytes
First seen:2024-05-27 23:14:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:tD3yvK/pKVbiNRSZJp1IpmyzEDJtzXbXjR7mp+gFxfq2I6uv7J79Womp7:JyvbiNERDJtzD9VgFhuXxK
TLSH T1CDE4230567D90749D9FA2BF1E52511260BF17A263260F37C1DE621EE1ABBF004B21FA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f.exe
Verdict:
Malicious activity
Analysis date:
2024-05-27 23:15:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b64fe886-c47c-4059-9cc7-fc559f728c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25045.2846.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6655140502ef56c532bc5460win7simulatehigh_evasion
Tags:
Generic Static Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/665513f79ef257851a9a3e8a/reports/314acd00-64bb-4b19-b09c-aeca30864e64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00645174-ff53-4328-9640-dca196e3b78e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448193
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448193 Sample: RFQ#o52824.exe Startdate: 28/05/2024 Architecture: WINDOWS Score: 100 28 www.pharmacielorraine.fr 2->28 30 www.hfceline.us 2->30 32 7 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 10 RFQ#o52824.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 RFQ#o52824.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 vnkYVEFJwfyEeXCmyVHIfAFmXbq.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 chkdsk.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 vnkYVEFJwfyEeXCmyVHIfAFmXbq.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pharmacielorraine.fr 91.195.240.92, 49747, 49748, 49749 SEDO-ASDE Germany 22->34 36 fcelectrodesign.com 192.99.35.32, 49741, 80 OVHFR Canada 22->36 38 4 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-05-27 22:41:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6c7dwm6l7pl5itqv5r7bybgacmvtcnpqxvxkt53d2omcqosnvpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240527-28jedsdf6s/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/81b33745-cac6-4d18-9465-6cf914de1f50
Unpacked files
SH256 hash:
75f08912e34c666ced446ef0428418e0e44171b186e871b3a487d5842c806f63
MD5 hash:
490019af2332b5757a8a494e8acca473
SHA1 hash:
da21265ec690ea503b581a05affcaf054e3334c1
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
Parent samples :
b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f
2ec8179daac23d3f433702623eb9b216057e114480b271a6225f228c51bee0d2
SH256 hash:
9616e39aafc254e340412f7076d1354e48f10a141096e8fbd3a960b7fade3e3a
MD5 hash:
5b235a7e3918b1c59f5f37c9492328a7
SHA1 hash:
8b8d53b8b2bba64035f79f3214b763eb3ab0e9df
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
1feba65bd2aa62dc3cad4b386b25e5a5922cfaaa4f0c1aecff536bf10f54dc12
MD5 hash:
21ca6aa79257797cfcf81faf284a9f89
SHA1 hash:
bb55c21f04bd9a0d6fbd40f7129ec68344bd524e
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
d9cf2f893e3cb7fa68a7d060b4c3c1290b4a917d8394f0876ee7768b94c298c7
MD5 hash:
ecc926189164cb727adf6df633652c79
SHA1 hash:
4ca8abc932145970e36972fba090c7889d09eebc
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
2e0007967efbdfa9c90a292bd339242792242a0a056ddb7ae0bb2e61be4d7f18
MD5 hash:
7bf39b95a4b3e280f35d39b1bcb9fb17
SHA1 hash:
48ce1e6b3088acd6db9c3cdc499b1b7a2ebcf384
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
2cf7417897950b30555acb691547718e556a2ac3b13b8d9f13f565530ea1888b
MD5 hash:
fee6a3ecf2b70a3df38fc0c63fd17bfc
SHA1 hash:
e1312d0db1edf0a2ab324ff924242e6f34ced213
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
f37a90668f5c0adf08b8cad4ed3babc4f8241f9ecda6ac841c92ac5b0dc17641
MD5 hash:
1a47fb092d29802aee24c5e7da7f4e62
SHA1 hash:
acc73c16a2e040892803a9cb0465e3fcd3e99bb9
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
bba3b4a798bed88b837caaf08f9ab3fa46f07a4fcfe9fbb05c7bd9aa842fc6c6
MD5 hash:
6cc3435cd40d8e33300539a35345f68d
SHA1 hash:
4449f187b758b4a43c5ad270f63d14994f2e83f3
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
3b2d36d6d9aefa8adff5195fade1b90536446a355dfcdd741c589138c2e5d9ee
MD5 hash:
c770b668c4d17370c315a4dc8380801b
SHA1 hash:
41d16195554f5233b62bea70b5d5cd5c5b35a4a1
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
431ae43546b7a57ae59cae48e4dd1b966f43b8b2fa7bc95523c52eed0ace7159
MD5 hash:
3d1cbe55ccc6f05238111b3a7f22bf14
SHA1 hash:
389263261d009a55ff60715a00a7d881560fcc26
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
684ff02ea7fd349939a7346c368ea6b732634cbc35c5a4fab82825c0cb74f7d9
MD5 hash:
382e2da059677913efe22cb14bd49938
SHA1 hash:
0f09a912d4c22a8b301b76895ce7a056c760b210
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
SH256 hash:
b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f
MD5 hash:
ff3dbf88b99f9e06e0cb8be49a1aae62
SHA1 hash:
aacf3513329bcdb2b31661e2f90a11a7d8dcff49
Link:
https://www.unpac.me/results/46f1b980-c846-4a08-b923-c3cc225d1a4c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b785f1d99e5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments