MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4
SHA3-384 hash:	39a718979db42f252798485eed85ff8b4a8fc067e931545ed489d7c4e077ea1b67a3980354745bf76fd972912528503d
SHA1 hash:	87bcde6fe5aff75e27ba27d63e5ba6ae9c5a31da
MD5 hash:	fdc2585397f6e5daa7368d90bd4c1818
humanhash:	fifteen-table-kitten-march
File name:	SecuriteInfo.com.Win32.CrypterX-gen.13380.29830
Download:	download sample
Signature	Formbook Create hunting rule
File size:	782'848 bytes
First seen:	2024-08-29 18:32:31 UTC
Last seen:	2024-09-03 13:20:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:7vVVkSQKQuYE0jR30BFQ7Bw8O8ZkZqNYqCRy3PZ5YRSNFH8aLfFH/4lf:3k7RBEMECQ8ZoWtZ8I8a7kf
Threatray	745 similar samples on MalwareBazaar
TLSH	T138F422487679DB12CA6C07B0409BC7A52377AD025412E246BEC97F4FBE73B1893647C6
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

443

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.CrypterX-gen.13380.29830

Verdict:

Suspicious activity

Analysis date:

2024-08-29 18:33:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43fd5fa5-264a-4d32-b4dd-09d4aeae2840

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.GHM.gen.Eldorado.17129.28959.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d0bee0fe69a9e56049e57e

Tags:

Generic Static Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66d0bedf5959a837dd12786a/reports/fc8818b1-d569-493d-8fb1-1df32d5736df/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1dd0b600-126f-47cb-ae5b-32fee3770048

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1501379

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ywslsrbap4tkmyszgg774hgzkzn3eaqcvupusyjdilw7rx3zsxca._file

Verdict:

malicious

Formbook

6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776

Formbook

713da332ae6fe352c05756fa2597abcea37877e5e585d94422a055d9f45e8a34

Formbook

7af98634dd9d2f4b3a52ee5651fabf2bd1215d7a79109fc4e0ff9095119944b3

Formbook

7fbb218c97b61a5da84737c2b149277bc2d2c06601d891704d16924005379a2f

Formbook

db3e3902e7a14c0d7c4273004f0edb16f57aa33f32079d9b8dda3764c1e6ac04

Formbook

e0e7d67763efac156e039e3b9b8e4cf0e269109164788c4901f338f1399699ee

Formbook

+ 735 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240829-w66t1sxbpl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/81e898e2-1eb3-4be9-9c2e-2833f327f4c7

Unpacked files

SH256 hash:

cb0da7e09ab8975e7407182194ff29f2986dea444d724a231e09c9e9dd7fd99c

MD5 hash:

104e6a02598b3cb01356802f12d6994c

SHA1 hash:

bb60c8ab67010a4147d7f43dbb1efb417bd4cef7

Link:

https://www.unpac.me/results/6f9ccf47-4f05-44fd-98d2-52384eadf482/

SH256 hash:

c22b6e2cfed3d7e9e0bc312aedb34dd32d9b8049319032ddc7557c9756cf07f7

MD5 hash:

afafe33158d5f82d678539141bbd0455

SHA1 hash:

5746d7bc26825f9bbf73487ee0dd5324d9a19288

Link:

https://www.unpac.me/results/6f9ccf47-4f05-44fd-98d2-52384eadf482/

SH256 hash:

6735f01655f72c48128b4a6004dd154b34e7cc0b74be34d202013df036de3bd6

MD5 hash:

b52600785f7dcb7164db07d8936ca88f

SHA1 hash:

1461b200d6643275b154588b9fa2e5259b1e2d39

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/6f9ccf47-4f05-44fd-98d2-52384eadf482/

SH256 hash:

0371f633031157d98c883966e6c94a336700f5b66239bf96af10b571d059cbc9

MD5 hash:

29242cc49aa936795ada426e892c76b0

SHA1 hash:

45cfd75860f19a8fbbd79180a75c06280c79e663

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/6f9ccf47-4f05-44fd-98d2-52384eadf482/

Parent samples :

d3e597c7a7074ebbbf6def6c24c0b979de124435a2c9a01dcb9a36ee1c5864d8
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
f4cc2743d202249ab338480e5c4cf22f2662065d078da09c89af833dbd1c1717
60734325fb48873fcbe11315a91032bef2048981cd35cdd24c6502cb81b03d92
c3d4bf7b34654afd79490a7c3ba3b19f9ccb920e3fa7649c23a73c8269fe6744
6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776
a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b
c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

SH256 hash:

c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

MD5 hash:

fdc2585397f6e5daa7368d90bd4c1818

SHA1 hash:

87bcde6fe5aff75e27ba27d63e5ba6ae9c5a31da

Link:

https://www.unpac.me/results/6f9ccf47-4f05-44fd-98d2-52384eadf482/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c5a4b944207f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample