MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51
SHA3-384 hash: 00ae0294b89f2f1685761230190c5240c34bbe9e28260fb366966796d9c8f4fdd3fa84e21540bf478b702d5819372947
SHA1 hash: a5969a3d94c94bc595d238560da7e414dd04bbe5
MD5 hash: 93c813f11f2054f4e6ba560f67f51c07
humanhash: batman-lemon-harry-arizona
File name:SecuriteInfo.com.W32.AIDetectNet.01.24746.13809
Download: download sample
Signature Formbook
Create hunting rule
File size:1'469'952 bytes
First seen:2022-05-31 09:55:18 UTC
Last seen:2022-05-31 10:49:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:/H1Y7dV/c/hB/2Vwu+g+jtF/qjWcEwNf:/H1YEqqMjWcEwN
Threatray 15'966 similar samples on MalwareBazaar
TLSH T1E86583A9318C35DEC56FC6719E581CA0F6E1347E671BD2479CA301A89A1CA57CF20CFA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.24746.13809
Verdict:
Malicious activity
Analysis date:
2022-05-31 10:04:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd779d12-f300-4d70-83d5-10e21df78e5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275689/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.24746.13809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6295e6356eb3ff326343f5ce/reports/4edce7d6-e553-4c78-9eb3-9c23e0bcf149/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7600ddc-c9ca-4fa7-b17e-46b404ddc8ac
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1004125
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 08:26:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqhtv634xellgp74etldunbdnoa7oeyc6sl43e5gu7tll4zf3viq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
Formbook
19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150
Formbook
2ce3bb2f2bdd62386f03aad4fba2cf7f57fd4cf165a8205eccff61986ddd42d5
Formbook
3e20e05dc0f89bd2a37936b5e3a2631af6cdb687218275731b6f7e7f79febc9e
Formbook
65d63079af57f5ae33cb341bc94f3882d2516efc82a0373775c564759aeb862e
Formbook
702ccb0e15a20fc60f883eb8c2c89df3575c40f3ef202a6470c608536a27bc3f
Formbook
814f2e3ff651afd0a82fe2b2c953c27e8ffda9df3fd7232681da30d29573271f
Formbook
b9148dfec92ec25753e9a70e51ef698bc44a66be852a84b6e5296f873cf0ea79
Formbook
bc56169e0d244106d996f013991bc22087310511ee4a5eb00605132970ece0aa
Formbook
+ 15'956 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ne5f loader rat
Link:
https://tria.ge/reports/220531-lycabsefbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
222c57493ea784d5690409165e9fb455b8ceda272ffdf0f190e9d580d2ad5883
MD5 hash:
0c57cdd1bf7adb968d3d569a6cdeb704
SHA1 hash:
82b51f805783b2e499ccf8f8381c7d90629258fd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6cddd54b-65d3-4630-8fe5-d1141ce8fc46/
Parent samples :
2ce3bb2f2bdd62386f03aad4fba2cf7f57fd4cf165a8205eccff61986ddd42d5
e2578171e1b9bcf0282b5246a8c6cb79829387a340ca70fecdc7c48c2f6ae24c
16d4cd6b5448168900375ff0ea8e9b78874dd5814661c3ed0c3c55920e0f90c7
bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51
75139da91bbbaef2846204eb5525abae4282afbfab6fb63abb1a556cd435826b
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/6cddd54b-65d3-4630-8fe5-d1141ce8fc46/
SH256 hash:
bab696112c702db4aad79d72858ad98ed078332a496ed86446f885363eac955d
MD5 hash:
4e1b61103b661421e72588b402b47879
SHA1 hash:
015c8f4d1c389653a3fe1fa744a4a387888ac22b
Link:
https://www.unpac.me/results/6cddd54b-65d3-4630-8fe5-d1141ce8fc46/
SH256 hash:
bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51
MD5 hash:
93c813f11f2054f4e6ba560f67f51c07
SHA1 hash:
a5969a3d94c94bc595d238560da7e414dd04bbe5
Link:
https://www.unpac.me/results/6cddd54b-65d3-4630-8fe5-d1141ce8fc46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc0f3afb7cb916b33ffc24d63a34236b81f71302f497cd93a6a7e6b5f325dd51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275689/

Comments