MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
SHA3-384 hash: c56d0ae2141f467baf71e82110fc533df63dd95b1aeb96b8e0bb839db67dcd7427753310db2d9192b6cdc4555c95fafd
SHA1 hash: 11a6eef9bdd8091c2bb5dfdb92356cd8aedf60fd
MD5 hash: fc53912c618d51bffdc34fc630b694c9
humanhash: arkansas-georgia-sierra-skylark
File name:c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
Download: download sample
Signature Formbook
Create hunting rule
File size:1'030'656 bytes
First seen:2023-12-07 15:05:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tDwMaylvcV2Sgul5kE6jD/62iNID4ZRxGEwas1gTerRb1ZVlJL+cYc5fVKTENzyQ:BPtD/61w4Vhs1Ce9b1ZNV5cENyUH
TLSH T1C025BE1B1DB43B89D4B683F78528420D07B66D5D7CEAE39B1DCD70DACA727811A06B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4c33d8d4d4d8324c (40 x AgentTesla, 23 x RedLineStealer, 15 x RemcosRAT)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463272/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6571df5b47603edff3333eb6/reports/de918e9f-9763-4e03-9311-7d36ea5830c8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9b986a1-e0a4-4e01-aef5-b45ec9ca566d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355532
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355532 Sample: 1OSvhPSff7.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 56 www.sdg-hub.top 2->56 58 www.pfin.info 2->58 60 19 other IPs or domains 2->60 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 6 other signatures 2->76 10 1OSvhPSff7.exe 7 2->10         started        14 zRHdsJxiGHvDj.exe 5 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\zRHdsJxiGHvDj.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\tmp3637.tmp, XML 10->54 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 90 Adds a directory exclusion to Windows Defender 10->90 16 1OSvhPSff7.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        92 Antivirus detection for dropped file 14->92 94 Multi AV Scanner detection for dropped file 14->94 96 Injects a PE file into a foreign processes 14->96 23 zRHdsJxiGHvDj.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 zRHdsJxiGHvDj.exe 14->27         started        29 2 other processes 14->29 signatures6 process7 signatures8 68 Maps a DLL or memory area into another process 16->68 31 tYWBgZrkLTTyXlNkJ.exe 16->31 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 tYWBgZrkLTTyXlNkJ.exe 23->37 injected 40 conhost.exe 25->40         started        process9 signatures10 42 sdiagnhost.exe 13 31->42         started        78 Maps a DLL or memory area into another process 37->78 45 sdiagnhost.exe 37->45         started        process11 signatures12 80 Tries to steal Mail credentials (via file / registry access) 42->80 82 Tries to harvest and steal browser information (history, passwords, etc) 42->82 84 Writes to foreign memory regions 42->84 86 3 other signatures 42->86 47 tYWBgZrkLTTyXlNkJ.exe 42->47 injected 50 firefox.exe 42->50         started        process13 dnsIp14 62 www.jefw392.top 160.124.250.92, 49748, 49749, 49750 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 47->62 64 www.pfin.info 74.208.236.16, 49736, 49737, 49738 ONEANDONE-ASBrauerstrasse48DE United States 47->64 66 10 other IPs or domains 47->66
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 13:08:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yabr65wrdzltxqdg5sngwfqz474bakaghy2qgc2c5qrzl45c4fra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231207-sgq6gscd59/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
b6958cdd0da20148b3a34afd485529299bbe004399f25de580213bea649cb07f
MD5 hash:
545fe22b6aa9b3e40641586cddd14964
SHA1 hash:
12f63cae5f8735ecf74a88b08878b52567ab9f2e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
Parent samples :
63f6026d12f89887e771e6f8518665353c55158a3d9bd17afb9bd9cd3ebf4f9d
c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
SH256 hash:
8cfaaf284732aa506853c0037763fa29540e2c493d3d25f3bf0bf12aa3b40c32
MD5 hash:
3007121926966ae3cda43ada91ab878f
SHA1 hash:
9c2f0498c9cfa865b8c5f005481036d27a940109
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
b40c51212af363bb685b5297ed6bf9f2b327f0ee31987c9eb4eb74fe79d925c6
MD5 hash:
af9c4cbc5be56020a32b6ae6c7d535d4
SHA1 hash:
ecd022f7261025c01779f742832372729e7b2bbf
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
93b528005927bf6496ca50a454909f9bb099a8931a814896688094390512c275
MD5 hash:
48185acb5acd7759bfa2fbf652bc9095
SHA1 hash:
220ecfa45e8cd9acaca45a809c6c07d0b3a27acb
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
36a711ce3d6f35bfb3467d2e27c20a961e1de5a892bc202ececc054785bf84ff
MD5 hash:
1019a3ed14fc4d0a143245b717a590dc
SHA1 hash:
84da4c42eac66bad5f44997f83a8b27600442356
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
c8b83c6eea497715fcb2f022d71a437856eedda75ba2a877ae6502bb78542deb
MD5 hash:
76cd2ad22b0456e65c6f91b1ce082909
SHA1 hash:
406cb958c1f07174289767e04677ff379f7f3dd2
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
94b663a90a59e32e9d5ec2f6c77e909dcd1edac47a58e13db843116648a57f58
MD5 hash:
19e25521f0897e0a0c289ab0d4810d4b
SHA1 hash:
3bce24b82ef58b5099e6057c0bbe1735b4513582
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
b7dc0a86746bd79de629331fd8e5a343e5adb53a4373d9f89a023f054c5f51da
MD5 hash:
b208e5bd5e65588d8ddf5c37d74b8990
SHA1 hash:
17901624cd32dd699f558c81a6c60a22861fa4b4
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
af19424164f8d23ab80f287729b70b5b3254134781f35e6917614f1773ccaa8c
MD5 hash:
de2a7c20f9d80d9aab56cad89ad76f69
SHA1 hash:
1579e3ba27513aa2151c30a4be7749416441326a
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
c07b5cf687d39b9b7a3b2577ded37f4e14fcd19477e9ee3bfe6b1982b4d4b95f
MD5 hash:
329f842e00f1a4ae06b799d4fcf85489
SHA1 hash:
08888dbda0e48d6cab244676d6a673cceb3160c9
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
SH256 hash:
c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162
MD5 hash:
fc53912c618d51bffdc34fc630b694c9
SHA1 hash:
11a6eef9bdd8091c2bb5dfdb92356cd8aedf60fd
Link:
https://www.unpac.me/results/25e4d983-3b8c-4793-bed0-7e40eb36b62c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0031f76d11e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0031f76d11e573bc066ec9a6b1619e7f81028063e35030b42ec2395f3a2e162

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/463272/

Comments