MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
SHA3-384 hash: 4b119ab4d377f921971147a123c586dc61cb0ac16ac18ad41f912082efc8ce6c9873d1fcfe0e23307b2c957e15c5e8aa
SHA1 hash: 9a943ef7d0df9bbdd6428fd073d90d268ded0f10
MD5 hash: 31f896d275bb8c6c56672abfa40334e9
humanhash: grey-july-september-oxygen
File name:RFQ$$FOB_BASESRep. of KOREA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:838'656 bytes
First seen:2023-05-09 18:17:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GpmzUweNQCmrOkQEObwR6GRrlGmc/oBMBNZ78lLRk6ndFreOrbNj5AyTP:G27UHMODOT9omF1RhKOX3x
TLSH T15C054990D1C9ECA5D00B11725838F939382DF79B91FBCC792A2EA504A5B7352356BF0E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d884a68e96a29acc (4 x Formbook, 1 x AgentTesla, 1 x RemcosRAT)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387922/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645a8e5b8399e8849cbcaf10/reports/b933ea85-4355-4a00-925e-aa64364bbf7f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9bc35df1-d8fe-4a15-959b-253d5ed4963c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1229489
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 02:48:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xctqae7aeb2o6zpeb6oowqmvidjzcipma2rowamal4soqdyhsytq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230509-wxk6ysdc57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
9c0332033cc4aff58a7e965c7aa1898fedea5208f18ce79f2288290f5565c4bc
MD5 hash:
78bcb4f17e7012f839564dc1d7930cf9
SHA1 hash:
c4d4e3f45917faa856e69ed4f45e3c4bb17afadf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
Parent samples :
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
SH256 hash:
958d1dc1b7321d5e6eff78652e8613e59bc6621bc98a2a6cb8f74eeedfaee9bf
MD5 hash:
b00cd696de344241cc4a2c4bab86b638
SHA1 hash:
d113054d741087f62d31a8c1097ec56872d24b74
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
SH256 hash:
5f6f670b20d53147ecae52f428a1f50af3131a92f54da503b5a3b8ab464cb793
MD5 hash:
717ded2a114f2d278807f5e29eec8981
SHA1 hash:
df99ff0f01e0b77dd1dd065976676bfca9acfefd
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
SH256 hash:
83fde4c9e3bd778ea729691f2dbae3a3921ca37c620873d5015e059366bd45ab
MD5 hash:
875c44e3510ef7b26167c427e22985fb
SHA1 hash:
7085e54effb2e903cbf2bface0dad4bd28d4a7c1
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
SH256 hash:
bd5a44b4a999bb017370850bb2cba7c0007d33ae23a73a55cc31695c0f71b965
MD5 hash:
74beaad93358913fe826fbaac72399d3
SHA1 hash:
555ce540f48bd0922f73357f0438debef65a0377
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
SH256 hash:
b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
MD5 hash:
31f896d275bb8c6c56672abfa40334e9
SHA1 hash:
9a943ef7d0df9bbdd6428fd073d90d268ded0f10
Link:
https://www.unpac.me/results/1f00b242-a175-4572-a08d-9cb2ffa708ab/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8a70013e020/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387922/

Comments