MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
SHA3-384 hash:	35d09fdeb410be17b731750dd64660b2a7a7c583284f65e7dcadbe0110b0af1bda041cca28ad0a1b112603b33c4ba144
SHA1 hash:	ac865a8459373de4f9498106397b752146fcaa6e
MD5 hash:	83a31eaeeca4f5b89bb7740fe4a4363e
humanhash:	fanta-nineteen-burger-twenty
File name:	SecuriteInfo.com.W32.AIDetectNet.01.2222.21026
Download:	download sample
Signature	Formbook Create hunting rule
File size:	749'568 bytes
First seen:	2022-06-01 11:47:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VYk6SIcd1AabeczdLBcpmLOJU6/29TMDRZD084EBR4yoot/jt6c3e:rz0cLzdLBuf/UQYgBRqotbt6c
Threatray	13'383 similar samples on MalwareBazaar
TLSH	T197F40124326C1668C7BE877A1075C250437D3D6AEA2ED70E39D2688E1CF33819B167E7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.2222.21026

Verdict:

Malicious activity

Analysis date:

2022-06-01 20:16:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/95c20d78-6a5a-4f80-82c4-0d683ba7c635

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276038/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.2222.21026.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/11751df3-c74e-4945-b7eb-bf566f443cbd

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1004994

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-01 10:35:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zotpqkduz65p4yppbtcushu5cgvivosyutpzwpvxhdho6lna5aua._file

Verdict:

malicious

Label(s):

formbook

Formbook

49b5b36041408c4f58810bad116898bec932533a1487099f1049c0df3740688f

Formbook

5616e1cbc30858dd5157bc181cfebaf939f5c30610f4c32b4f778713e969e473

Formbook

5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0

Formbook

57f01cdded3c545f55b5dc74630fc7cb9679abe58949e706bef98014f6578ab4

Formbook

7b3ac209ae00cd1fdb297032b35d2d0b1c0e1e66d95b1c90045e44c223232c93

Formbook

b6977327ba4fd222c6e98fb0c3989e20b28fe4d460ad2b2201e4ba13fe7b8441

Formbook

b844435235a5eb37ef8ddfbde5694104bb1d2faef4220739997f5bea28361c15

Formbook

+ 13'373 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oi25 rat spyware stealer trojan

Link:

https://tria.ge/reports/220601-nye3bsgdc8/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

Unpacked files

SH256 hash:

d9ad45bcbfe603a3be699508002edc692666abb8607437d7287797ebbb20c35c

MD5 hash:

75d51ce06fec59270a87053916934bbb

SHA1 hash:

892b1be0a0937ef4607d705b4e750b36e166e084

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/972c7b53-9588-4a05-97b4-f88b16b17c2b/

Parent samples :

e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
d789dc89cbdaa34557abf0c25f2ae5e35208c752fdfceb0aaff7ab15a7e45220
d060c0c503a5d377c6f8df72835faad2b6172958efa655f04d3b0f074d10d1dc
9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2
591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

SH256 hash:

4b2c5f59a579523218386426f26f50a037e1cd457ff38709ffb33aa9cac557bd

MD5 hash:

a4ae38cbc222435cc2a11b42203e1cdc

SHA1 hash:

f082e8c3321e8beeadde803626f9de1e54a56269

Link:

https://www.unpac.me/results/972c7b53-9588-4a05-97b4-f88b16b17c2b/

SH256 hash:

d8725ddc52020f287422fcbaaabc38d6d8c7a380bd0aae96de984f8df2a7ff86

MD5 hash:

b57a0183cc83cfaaa586cff0075d49f1

SHA1 hash:

3e0057532f80f9e7c6d62d72ea2e5a39530878a2

Link:

https://www.unpac.me/results/972c7b53-9588-4a05-97b4-f88b16b17c2b/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/972c7b53-9588-4a05-97b4-f88b16b17c2b/

SH256 hash:

cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828

MD5 hash:

83a31eaeeca4f5b89bb7740fe4a4363e

SHA1 hash:

ac865a8459373de4f9498106397b752146fcaa6e

Link:

https://www.unpac.me/results/972c7b53-9588-4a05-97b4-f88b16b17c2b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276038/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample