MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848
SHA3-384 hash: 7c7e717d04aabed60184f673de0c4f7bb8581f58961f3228da3566dde2a17c1d68d44b12f46c0e9669ad0421dd0bd2fa
SHA1 hash: 1cbc9d6bcef573bf0562eee10c6e5f859c5c520b
MD5 hash: 7e82ba415cc5d4d1e3c07617d9132b93
humanhash: fourteen-video-iowa-july
File name:SecuriteInfo.com.Win32.PWSX-gen.2938.24535
Download: download sample
Signature Formbook
Create hunting rule
File size:1'133'056 bytes
First seen:2022-11-08 09:39:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:iUENaD8PbOMPJKzzYHE2wYUndDiXJAf0+X:SNXTrsH7nliXh
TLSH T11035CFA030711FA5D67ECBF68224266883F72EA6621FF24E4CE170EA1573F834654D67
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.2938.24535
Verdict:
Malicious activity
Analysis date:
2022-11-08 09:40:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d5adf8b-dcbd-41de-b4a4-0565abcc7449

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330444/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2938.24535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636a23f4470500d17a1edeed/reports/149c5ecb-b0f2-4f0f-99e8-c345778841c5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a837965-8837-4eac-bdc4-3d2c00dfc856
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1108091
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740757 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 8 other signatures 2->66 10 slDKJXx.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.2938.24535.exe 7 2->13         started        process3 file4 74 Multi AV Scanner detection for dropped file 10->74 76 Machine Learning detection for dropped file 10->76 78 Tries to detect virtualization through RDTSC time measurements 10->78 16 slDKJXx.exe 10->16         started        19 schtasks.exe 1 10->19         started        44 C:\Users\user\AppData\Roaming\slDKJXx.exe, PE32 13->44 dropped 46 C:\Users\user\...\slDKJXx.exe:Zone.Identifier, ASCII 13->46 dropped 48 C:\Users\user\AppData\Local\...\tmp2F14.tmp, XML 13->48 dropped 50 SecuriteInfo.com.W....2938.24535.exe.log, ASCII 13->50 dropped 80 Uses schtasks.exe or at.exe to add and modify task schedules 13->80 82 Adds a directory exclusion to Windows Defender 13->82 84 Injects a PE file into a foreign processes 13->84 21 powershell.exe 21 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.2938.24535.exe 13->25         started        27 SecuriteInfo.com.Win32.PWSX-gen.2938.24535.exe 13->27         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 16->52 54 Maps a DLL or memory area into another process 16->54 56 Sample uses process hollowing technique 16->56 58 Queues an APC in another process (thread injection) 16->58 29 explorer.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        process8 process9 37 svchost.exe 29->37         started        signatures10 68 Modifies the context of a thread in another process (thread injection) 37->68 70 Maps a DLL or memory area into another process 37->70 72 Tries to detect virtualization through RDTSC time measurements 37->72 40 cmd.exe 1 37->40         started        process11 process12 42 conhost.exe 40->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 09:40:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb2qetpmorhwra5bofw4lp3hzvs6dszad56swqh4jkktcanotbea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a4b0 rat spyware stealer trojan
Link:
https://tria.ge/reports/221108-lm7xvsbhgj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/957163a5-cdea-4fe0-8c73-80f44f372b2a
Unpacked files
SH256 hash:
92517f96cf0ea92dbd830c7a69d66c75a0d322d52361d7078b2ab8c4ac954129
MD5 hash:
799a5a5beca91a5a079b4c0f272fa43c
SHA1 hash:
6a32981af85f0fe86371fc1e651c894530feadac
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
Parent samples :
baf5d53f07c0cc8ed9ba7055cc91a18b936d0342e0792f618ee6846cbb8859b6
c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848
0422eb91595e9d98d7f4373f91bf00c8da685e1cae1545082807698d9be95b8a
SH256 hash:
13e80fde971ff150ba6cc8008a9be6c02401fa85925b91662b84f1da7b0826d8
MD5 hash:
0d529117d051d9f40242787b84fe9e0c
SHA1 hash:
90623a4bc25293f51803b60cdcad2e54fbcee67f
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
SH256 hash:
9d25c77c326b8d132b3af24682f9a004d00e9f50abd36f932fcf22462f8015fa
MD5 hash:
02cd7ee271a97ebecb37da80881e4d24
SHA1 hash:
7b0dfd8d8adc60d5523e39ef1ab94d48e18d1b9e
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
SH256 hash:
be890671b670947533be0b2c0279e1228b7bb71e0391139ecdebc8cf0d8cbfa2
MD5 hash:
837fd2d6435f08532aa1f2cabea4a8b0
SHA1 hash:
12a812cea4f44dc55551b92a71e7d31742d8658c
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
SH256 hash:
c875024dec744f6883a1716dc5bf67cd65e1cb201f7d2b40fc4a953101ae9848
MD5 hash:
7e82ba415cc5d4d1e3c07617d9132b93
SHA1 hash:
1cbc9d6bcef573bf0562eee10c6e5f859c5c520b
Link:
https://www.unpac.me/results/78c51fa1-44a3-4735-9474-6b2ecdb09913/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330444/

Comments