MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
SHA3-384 hash: 20e9130d00e821717c3160254d1438d1a6fb410ca1535de8f332fab25ab41d8185be11fb3b1151bf1cc0b40433074643
SHA1 hash: 7169498e78ac0b174844a55a7683f4786757fe21
MD5 hash: 3144211fe9bcd2d75572492535ef1c1b
humanhash: fruit-sink-king-zulu
File name:hdmw0l448aEfYnt.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:712'200 bytes
First seen:2025-04-14 13:10:16 UTC
Last seen:2025-04-23 11:48:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:UtVilaay84PIixJFFtIJJ6YPnzLYQDhxCu6E+K1XfOcvrsd7S/MfI7jkR:UulaVwibFFgJ6kzLXPD+KlaW/ha
Threatray 4'182 similar samples on MalwareBazaar
TLSH T13DE401142359D806D5E61B784A32C37C0AB7BE98E935C3435EDDBC9F3B6BB4616013A2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 88c0e8ba62f49a97 (11 x Formbook, 3 x AgentTesla, 2 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
448
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
hdmw0l448aEfYnt.exe
Verdict:
Malicious activity
Analysis date:
2025-04-14 13:35:50 UTC
Tags:
formbook stealer netreactor xloader
Link:
https://app.any.run/tasks/978de05d-ea34-4df9-891e-96fe348ee1d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2166/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fd13361dba888a93d39659
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67fd096b931404048d7eb938/reports/93038fc3-e122-461b-8c57-54551132ba99/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d943172-9bca-4b71-ab04-117011522c26
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1664566
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664566 Sample: hdmw0l448aEfYnt.exe Startdate: 14/04/2025 Architecture: WINDOWS Score: 100 59 www.it4n1ar4t0k7o0.xyz 2->59 61 www.9ydygorig3l7z.xyz 2->61 63 4 other IPs or domains 2->63 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 83 9 other signatures 2->83 11 hdmw0l448aEfYnt.exe 7 2->11         started        15 GBDCme.exe 5 2->15         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 53 C:\Users\user\AppData\RoamingbehaviorgraphBDCme.exe, PE32 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmp4891.tmp, XML 11->55 dropped 57 C:\Users\user\...\hdmw0l448aEfYnt.exe.log, ASCII 11->57 dropped 85 Uses schtasks.exe or at.exe to add and modify task schedules 11->85 87 Adds a directory exclusion to Windows Defender 11->87 17 vbc.exe 11->17         started        20 powershell.exe 23 11->20         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        89 Multi AV Scanner detection for dropped file 15->89 26 vbc.exe 15->26         started        28 schtasks.exe 15->28         started        30 vbc.exe 15->30         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 17->65 67 Maps a DLL or memory area into another process 17->67 69 Sample uses process hollowing technique 17->69 73 3 other signatures 17->73 32 explorer.exe 32 1 17->32 injected 71 Loading BitLocker PowerShell Module 20->71 34 conhost.exe 20->34         started        36 WmiPrvSE.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        process9 process10 44 msdt.exe 32->44         started        47 cmmon32.exe 32->47         started        signatures11 91 Modifies the context of a thread in another process (thread injection) 44->91 93 Maps a DLL or memory area into another process 44->93 95 Tries to detect virtualization through RDTSC time measurements 44->95 49 cmd.exe 44->49         started        process12 process13 51 conhost.exe 49->51         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-14 04:00:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zefs24rjnne4okzcc5z4n7ggkzeob4fkp76geyiwqhe42b7gx4za._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
Formbook
4656e43fe5addfaa6f568353d432f7ccfea23b8c64e0e10641716822e3a199fa
Formbook
7636a9a372ecbe65e84e5c16e626ab03929a0089d253d4dd391b915774dd67ef
Formbook
b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
Formbook
+ 4'172 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hi13 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250414-qe1k2axnw7/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd245b0e-09a8-4615-8f56-939811008d35
Unpacked files
SH256 hash:
e8b2b6b5c16bb401c7140c0bac5e869785965cced17f0d9bf7217251531b5662
MD5 hash:
b03b358204ff3e931185198e3fdfd9b1
SHA1 hash:
15b36b8fe3ae06c129b22d843ea2c6328e9387ae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1688ca50-ec09-4e36-bcb0-9f4f0dc48458/
SH256 hash:
d1565b7e500f1d93873d3a5d622385a03278f79dbb35281ab4aea1896e2ac030
MD5 hash:
af69bcbcf5c38f9e1b050b199a8a0d3b
SHA1 hash:
7d5b9e7c687e091651b5aac0c0196e1ce82516c5
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1688ca50-ec09-4e36-bcb0-9f4f0dc48458/
Parent samples :
2a70db0a80475b95076e3ac773bf31a512eac29e3bc6f2742146815dd209f5e9
804ca58e99fe47f33eb0ee7db9b0e4794dbe30c165f219bd85884f0f84ac7846
8a83249f26da9d22a6f3c1de677e98b4872368f013d21e87391417bf31da0b98
af33ab150d8a4076d522d235ff3b77508ec19e52b6ac17bdb6eccd842f6babc4
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
41d7369f717e33a88918da397a21fdc2a1db9c76629b7d5c6be1786f8cee9d5a
a05882d8e179d3a1a3ac69ce4b81bc72ee80f026d921e2598a5eddefd803511b
1b9ddbe7a21e44c82dc78c8e8361baca31adea4d8a8e673536b249b46305860c
2c815316f091040c2f89bcbaae0464cd89a9bfd5225f917ac01fabb9136a3fd4
fc523562bc368e6ab9c0106a1f3d6e23c4104f120c65c65b9c9adb2ee57c63ca
fd4c4d051a2d6a69a40e1e8f2f4a1cbcd54a4f27fd7ab4843452c98611aad9c7
c7d5e01e287cfc5c4c967c1ec895659bf25a80fbe8266a87f083bc80ddc82cce
46b9ea7cdf572a0e0128450f141ab2c31922dbbea4b632401fe42d85ba21cbcd
88d63b81ce4d25ca852251449940416ac2a8c61f5cf4a452ab690d26dc372876
72be9fedc41813b76d9a0707925542a7919f9192ca9cdc8ef82b952dce22da4f
4ac15244ddd64dbbf277c8d20628a9593dc0df8feafd932a7746d1b99c2ba826
17445fc3b78c7a08d5c4bc4164d04f99a4906ca50fc7552c1420c9efbebfe215
ef31c771e1f44656fdc9e84c3745d8bef369879697c144110edac6b814878ee3
071ecee4bd6564ec46147d2cf3f94c230f6da364a7eca4305e2f69f56e8ac4e4
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
90c33f008fb667cf96ff92b14f8834e702e3f4444d195328c9be186e801e6823
4dce97ef955a132177e7043fc0d11e35c3e1d03f833b3b30951d7b2ce6db735e
094c46819bcd5e6fb0d7cc1415452e1ad1654da29a54685ecb8f92c751bb0822
d3b0e954250d481d37ce371255c6eb7deb4bb53c1784f2a7111487bb42f4ee5e
1ebc38bc1bd49c8564e94d2242c4deed0bd0d69c0086ab7cc2dc180c77a989ce
b4391a76a1e786d93c45cb78576609d9f75ce63d9253edac9c66ef921b5a7de6
909759c61b9cc4ea2307f313c5d944e3cc6c5210aabb7d53477262b725aa086e
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
82ebf6faf3f97b1fdc2508ef2fb4c22c5e39bd2572c95d358574d2bfe280aa3a
dbb10cc6fb3fc9fca393ff312d53af0d938aae2099e23dd69d1fb9ce6828f3b8
f8984264632a0aba48bcd90967988aa1d2c10f9381d00abc08456431ea46d208
e594f00895dd29d763379ee4aa87c6004e811385f71077959674c4ef636f5a2e
761766237d7a8d58a5cdf2aa5ccace247b724d033d3196bc441c6a9c31717561
b1e2b8b0806852aa586a0491fc91a832babfff3882eaed12a6b7d2e7b776d4c4
b259302d7ea5bfb1f2ad8f50e8de4df48d96021070ee77c5b7819583ec43f372
6bb21551577d98edc3a3c4db8d941258f86c89db185fa2095f54ad4944a62b87
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
0103b1c78fd2b588d3df5c688369fce8621e8c22d3207faaa1e8404c0ac860c9
f2392e04e5ffb9bcee95ce763a7686322a9abd7210af28ef3f653402515a6013
8357f957b093fda087166e77b0e6a59d8d0d2fde1002d0be9ce5f99db26d63bb
be4448d373ea201e390e0bb158bba4f3ceb111ff37cd586c770a3d0e887d5bf1
c36369fab2df20ecfe48904d1e740c361fbf72f7f06221cefcbb1586d696506a
f91c4c7fd22d1d1ad83e7b8984b7b317689c6c75b3dc5ad29292a72161ab2164
d00a21bc17cc36be9b55a6c36f6c51e3f8f5300bfcd80246cfaadc4d3b638a99
db54fbe35d83bb19deaf215649ce9c33974913b4a03fb0060f6afec3a33d1d42
2fa30c4928317befeb052607fb0181fbd4be52f5b2c37cbe4bdb42e743355449
b155dd58a04167ae2b542b3e84c60e2761bd66e7a96f66476d5568b84b801936
c7bdef6f72689a3279cfbd4a47882019055e0138cdb2ab229cdb96f9ed541196
1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
5506f23308b0b3dff288866ab0b560f2fe5d61f53f4730428ab145f5ee033f84
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
dbbf0fd1d25e6411faddab4b2f689dcffd04ce06642e1319f9d6fb00a2c343ca
b8c36a5b681b071cc8c8a34fa1d1656b705dbe1f433706b386b78fd73ef6e884
bd786fd63a731d3b49654aa94045c0b9c11c5c7112636befa6ecee7ff91d4c51
99af728a80e56652b6622bc371fd9a6cc4702e2c5598918c42eee05681850d2b
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
9c50c6516f166d7975bfb56b0a41cffb52844eb63c1c9ef2fd3502305d075a96
ddbf042dcfbeef6cf190530ca077b62d1366ef54356d0ed63814e8b9b07ca8de
31699232fd5243c9ed94a774b8b36fe40211590ba9460d8eca4251c24618beb9
5d8ae2e91d0e7c2dfb51972bc8f825ed37a76ab49d70809a446bcf3dd9dc9759
c0834472538b4521860ce0d38b7fb302e06da7fb0f328d2ce1614b176b44f5f9
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
84d88aa331513f6d7e41095e2187e4571dd08b9aedd52202dbb39fa1e9fd5565
ee38d1b102d49efb131e686f67a3499b35eb4e412ed8c9bd6a5fe8a22320b3d6
e1c7a0142096027135342d53d50e982ca0db4683cb578fa7528f7da6394397d6
59c68aa4d3b5e77347aa69a31f2592220359ff8f45c18bf9ef5ad047e072534d
3eab5d3870693e704bdf913c10eb1b7a2a9dfbc3e85c58d2e3685ccbb5a1114a
6714c82529a444b8ce3f8bfae085604f2618954394d7812e68f473ebfca78a26
a6595037149574b9ef6ac2be554fda95aef17dac424a214f8582031112a43f56
dd762de25b94a493d115906421412af660db77916a2a09baa40be5a9fcbf63d1
d5bd67edddb02aaf59ac0743bc2ad8fe235ee8b4cda045e2475193cb8ccca8ff
SH256 hash:
f7b2a1307788383e625f5e97e8b6493d83d3d5dc92e6668b4021089c31f95b60
MD5 hash:
01dee027b928c11106c8eedee12872e5
SHA1 hash:
9688743d5cb6c7d6bf8bc89b32c8336f3f12293d
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/1688ca50-ec09-4e36-bcb0-9f4f0dc48458/
Parent samples :
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
59c68aa4d3b5e77347aa69a31f2592220359ff8f45c18bf9ef5ad047e072534d
d22f35b2e413df2285d73d888f9ec91025121fff5fe29c98982e9952c2f3b730
5cc4e78268ea872c52ba12d08a527a7da6a0abd65d7b1aaabc2d56ae4edbdef6
3489a2eab1c57d0eee2ce6e5773e1f4f53ee6e5d8963e0099efc7e190d0c2f1c
6036a28c74493ce0e6d87a468959a047011d2e6cf63807d9a3d154b8642d7e65
6d0a73c255453a2539a63dbeae565abae36b527cd6154691b3c066f3815860ed
9948ae75550edf04cbad0aa67a427908d5f5dd86bae12998ff9e4debfc28a645
896dacfb811fcde80b97bb497aa5abc2dc3bcdedae8c0791512b208aea6b65bf
4ef55b210c4174c2efecbe5ca507305f44226fb26340ff93e36fb65c72b3e181
15b1dd61220782f0fd48d6ca10e0a556e036f2ce0450e443ee33a57fb6dd4ba9
b4f779c06421b878976598d11fe86b9cf3b92a04d93c9ce11b57772876ccc2ba
d6ff37cf17f73dc09e1bb459d7ebec5bfe3ca0acac5924ebeb15c01e1d5985eb
bc407aec3c1515d5cf405c36da5d2336361e57dc07afba016a5a6379b56892fa
2caded000f82486caade3eeb6c47d446037abdcb39a2ba127b58c9fc67d15f33
035cf98a4ed96281ec028ec33c8a15c578e3157f9a1f8e90e95ddbc6204ada29
b75676a458b2251a7e86d7aa12dd1d26f55d49d60af2c4fc534274a8fc170501
0013e6d899c343df37d42e9aea6a40a035021195b544f6c442ff98094501b5a0
024537bcb5cb2e33a164a13fa87e13dfc129efe2dd656084f3954f4ba5a821e1
80c1a0b48688c83d7c1532da5d5871618838eea438a4262a0c36ff21d5914c2f
88edce54585b6fd0c886090c53e8f8db451fe67eb1bbafbeac17fcbd694392e8
83cdcf1f7b8b580c62b4bc74e0ec2eb1fb18e2229335179d4f333c6b5f52f4ae
0578eeb29bd6418a75a34d5809cc64bcf903cab949060ad38cb2224d23bec10c
68f21baa9f00e498b8b31630e46addb81a4b4ef3f86d097708b6d6540fdcc8ac
5f63d86d5175fe1b15194dedb48e5eadb0ae1f4656b3ca86a2055df558bdcafc
078cd1b6995a95e2057591899a7050da5799ad226afefd75fd442060efd1b027
83720bec38d91097735649d6c29d406f7c1d7521f67e69cafce0437743cf3ebb
396d863b28cfe0297b99865faa37c6a7079547e0c275bbed4c4c0ce7451af4d3
285bd22ba49a3de603e9fff856a0bd3111e43629ad29e24bb41178afd93ece23
SH256 hash:
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
MD5 hash:
3144211fe9bcd2d75572492535ef1c1b
SHA1 hash:
7169498e78ac0b174844a55a7683f4786757fe21
Link:
https://www.unpac.me/results/1688ca50-ec09-4e36-bcb0-9f4f0dc48458/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c90b2d72296b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2166/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments