MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
SHA3-384 hash: f5a8494a8125f05b227a7d07bb914c83846f52d90217f9f6621e308076a3e897d49dc3cef1dab1c917565f17296558bc
SHA1 hash: 499f19e81568b3a9ad11a69b1506cadefd06d9c0
MD5 hash: 723e0598f2c1517b13506ea1521471fc
humanhash: don-carolina-sierra-mars
File name:Indirect Standard PO_6400456813.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:673'792 bytes
First seen:2023-10-05 12:01:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:4iMy/jZjSu/bAsWMEaH91sw4OHcfIhwEvoag4QbWS018uxmV/5aLEw:xLZjRDiRAYw4pAhwEvoxTRtQLE
Threatray 27 similar samples on MalwareBazaar
TLSH T198E4022077EA5F36D87A43FA0130450017B67DAF6578EA4C1DC670CF0A66F825AA1FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
DK DK
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1476.17507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651ea5bdbe42b2ac8e5c480d/reports/3171fbf2-bb09-4213-b75b-9b0ef022d269/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79cfa714-b842-486f-90d6-05cf5a52186c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1320221
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 08:15:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcbhwm4fwth4ryyzcoty47qqr77kulfnbgomysouzmwcn3ofveia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d
Formbook
42c0bbf88390cafcc303696b01420c9233df8822285de01dd73a1dfe8b5b11d8
Formbook
467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
Formbook
53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9
Formbook
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
Formbook
a3e03018e2dba7a61cd424c3b09864decf28815e7a3d84187f68ebaa395de908
Formbook
ac10fa3a6b7cfc8385aba614ca8f0da49fe6b0cb6f1b939ec0f0046ecf80ca64
Formbook
cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
Formbook
cecee88a7617e74a94da62a630b47509785f2d0dd45bae200fba376915eff317
Formbook
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231005-n7fefscf98/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
44ea892d3a7842f35321e9c5c3adfa7bddb7b6751d45125ab87896672e132fd6
MD5 hash:
0edb95ff1dffb486dfcc9769da542a2d
SHA1 hash:
9152f9d136c8cd5bba085d73de7f57f7d67811a6
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
SH256 hash:
cde067e2808194ba66e53839a3199f5cde30efbea01c317cdbf5e1311c5c80ad
MD5 hash:
d621db156a21ed9f984d71668f4f7c08
SHA1 hash:
afeb86a9825821a589c1417c6e5995a336dd1996
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
SH256 hash:
221f7df01c882ecdc9bd81f76ec934603c778691d64f95552e62709a2fb81a98
MD5 hash:
fdd8ed8c5342f3df04efdaf4071b3320
SHA1 hash:
6f1c5e64f9d67a95768ab6ee4155d91c013920ab
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
SH256 hash:
c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
MD5 hash:
723e0598f2c1517b13506ea1521471fc
SHA1 hash:
499f19e81568b3a9ad11a69b1506cadefd06d9c0
Link:
https://www.unpac.me/results/cbc974e7-7187-42ec-a140-84b10a55d5b8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8827b3385b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments