MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9
SHA3-384 hash:	f3177a7d89623d799821b81aa4a68e139fad52a4122d81ff823450665e356beec984c3e9cade4668f0e59046a064b82b
SHA1 hash:	a2770fa55b9e3587b391ed77e836871277f61058
MD5 hash:	bc7bd2d5d1caa4b03beb718a59f602e1
humanhash:	xray-nebraska-alaska-spaghetti
File name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.35.23070.20861
Download:	download sample
Signature	Formbook Create hunting rule
File size:	866'304 bytes
First seen:	2024-09-05 19:22:33 UTC
Last seen:	2024-09-11 20:53:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:0qdBj0z1acAf1UoIG5MPU0wOqp0kFqxR/OSg/MY+r30oztO/m9oqRfH/+PP+owYQ:GA9UobyTkpLFaOl/Mx0wDSqRXu9nY
TLSH	T1AD0512C563A0BE66CC7704B785274AD66EB05C2E9130FB925EC3727F89BB351A221743
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	00a282a2a282a200 (17 x Formbook, 11 x AgentTesla, 4 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.BackDoor.AgentTeslaNET.35.23070.20861

Verdict:

No threats detected

Analysis date:

2024-09-05 19:25:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c91bca81-ebe7-40d9-b75e-a84a44129003

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.35.23070.20861.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66da05188e12b8124ac9550c

Tags:

Static Swotter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66da0519e19c06a3e691dbf8/reports/cf75dd33-41c8-4201-9ea3-650e4ca09f4f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb04ddb1-8733-4177-9e50-fe8bbf144713

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1505180

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2024-09-05 04:31:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdveorz5xsl47iroszvp2pkemnhakpwwwgizof3vg5urvgp3nluq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240905-x3snnaxfql/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6018e7e5-852b-456e-a146-5323c2377f4c

Unpacked files

SH256 hash:

a8bc7efe8d50eeb9570ae8485d1e43d7a03ba9525c191e31127350b73682ab3a

MD5 hash:

055be58180fc3de1128ec7fe76ca2ed5

SHA1 hash:

b479c240113103b25f1d55a8e3ad126c04ac6075

Link:

https://www.unpac.me/results/f2eb140c-9e7f-4797-853a-f3ead3433627/

SH256 hash:

501ebb8aacde462a74b01739876a428dd0a5947f3710659808dcad305145ffce

MD5 hash:

b51904d801547b237a5365e0073c7a52

SHA1 hash:

c1267d80f91e046bad2df1e1f9c2b303d83dbbb1

Link:

https://www.unpac.me/results/f2eb140c-9e7f-4797-853a-f3ead3433627/

SH256 hash:

150c6e7de31574a3dc8c09d743987ec2c43c9bd0e6aecbf91042722359e3adc0

MD5 hash:

48815524d9fe314ab98f8df0b182908f

SHA1 hash:

a0e4dded97841cded11dce2a1b84670be882f22c

Link:

https://www.unpac.me/results/f2eb140c-9e7f-4797-853a-f3ead3433627/

SH256 hash:

97275a7f940659a4143b7b8fee2f6010bbc8bc72735faca2c18d292d193c0513

MD5 hash:

c83fc109fb473c37b8f9f188b8dec415

SHA1 hash:

2359da797f395f1579119da6ce77c51950fac935

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f2eb140c-9e7f-4797-853a-f3ead3433627/

SH256 hash:

c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9

MD5 hash:

bc7bd2d5d1caa4b03beb718a59f602e1

SHA1 hash:

a2770fa55b9e3587b391ed77e836871277f61058

Link:

https://www.unpac.me/results/f2eb140c-9e7f-4797-853a-f3ead3433627/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c8ea47473dbc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8ea47473dbc97cfa22e966afd3d44634e053ed6b19197177537691a99fb6ae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample