MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a
SHA3-384 hash: a39ea5353722cfdb5ca2a43738e11afe88f29d276c2f3fb2839c690003b594d853e295456c0136d3840c61d72a74caa6
SHA1 hash: c03b133bfeb72c764fd4fb33f50f4c7c87d25908
MD5 hash: a1d72771e8c5bfb81ce86c19bb31b79e
humanhash: maine-east-one-uranus
File name:Shipment Document BL,INV and packing list.jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:659'456 bytes
First seen:2021-05-03 05:39:33 UTC
Last seen:2021-05-03 06:02:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:u1kpvD/Vmfo86HiBADJuSxRvi1W8rLZ2iSPomC65dsD4KKZk:okpoW2VIiEGD4fk
Threatray 199 similar samples on MalwareBazaar
TLSH 41E4DF0A7B856B99D1081E7AC95300C883F5E127AB32FBEF1DD915E56A02397870F937
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148167/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Spy.Win32.Noon.gen.183.10469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707594
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 05:40:15 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znoulivp65a6skqzikgxwxc5x3ddda7eea23degxglb527lvsgfa._file
Verdict:
unknown
Similar samples:
5024f734215b78dad35ba4390d346c029d19eb14d90983cf48c2b16726df14d9
Formbook
5ff8126fb4025c8587191a776a7d505f1bcc825f87a8e21266f55d5ff3f2cccb
Formbook
81c772e7c3443e928084c9c25b4b7a31002dbac9c4c977eeace73dd721243317
Formbook
c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23
Formbook
d0a2be2c26efa68a6f69a4173b21c251b3c1e55b4d64cdf67394f923c9c23452
Formbook
d4021060ba2ca5034165d5a2c735bdaa54bad25180ebf0f8e0c6d5f6af69e18e
Formbook
df9b8b0093bdcff2dc73e2da55ea3c94cc90febcf05c4bb4edde266b3f376a55
Formbook
ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc
Formbook
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510
Formbook
f138fb2bb1b74757f02ed6159d3766cd5bbae760e04907ea7520bc09dd968783
Formbook
+ 189 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet
Link:
https://tria.ge/reports/210503-4ywrlklm1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Obfuscated with Agile.Net obfuscator
Unpacked files
SH256 hash:
cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a
MD5 hash:
a1d72771e8c5bfb81ce86c19bb31b79e
SHA1 hash:
c03b133bfeb72c764fd4fb33f50f4c7c87d25908
Link:
https://www.unpac.me/results/151e2f6c-1802-4713-a7b8-8adde889c33e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb5d45a2aff741e92a19428d7b5c5dbec63183e42035b190d732c3dd7d75918a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148167/

Comments