MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
SHA3-384 hash: 30e5fc132cb102bb5c69161e59bec27d586fd738b4545016b0577596f487429e7596c0c2d50c1f90c9f5bc7f5d418481
SHA1 hash: 5bce77192abbf2a71a2b19d6b00f08685f569b64
MD5 hash: 3aa5992e9a518e4d1a7042a16b10e31d
humanhash: mike-mike-lithium-neptune
File name:vTHGfiwMDeoOH5a.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:804'352 bytes
First seen:2024-10-07 04:26:14 UTC
Last seen:2024-11-12 17:31:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:A0ixK9bqAGf89ojqUk6fT6xuBgptr6svn6v:9ixKp5NX6BBStr6svnu
Threatray 6 similar samples on MalwareBazaar
TLSH T167051268631C9659C76C07FA4492C21053BE2638A94DC76C7E93B48F44DBB658332FEE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 868e8e8e8e968eae (3 x Formbook, 1 x AgentTesla)
Reporter threatcat_ch
Tags:exe FormBook www-vasehu-xyz

Intelligence

File Origin
# of uploads :
2
# of downloads :
392
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mal20241007-01.rar
Verdict:
Suspicious activity
Analysis date:
2024-10-07 03:50:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c01584e7-6a49-46e8-ae33-cb57797d06a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.13847.7309.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67036318ebeac9e68051276c
Tags:
Powershell Micro Spawn Msil
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/67036317d92ce92b9f9b274e/reports/84025f92-2b5e-4aad-8162-2f04e83719cd/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b87e0b74-36fe-413f-8488-83d982580e27
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527610
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527610 Sample: vTHGfiwMDeoOH5a.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 5 other signatures 2->28 7 vTHGfiwMDeoOH5a.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\vTHGfiwMDeoOH5a.exe.log, CSV 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 vTHGfiwMDeoOH5a.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 04:27:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6wtklmmt2ihe2ohnmrlop32t6shyn4czgpmjbmyumikgxj33kwa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4
Formbook
27f7c51ecf059815a8a966e9bd52aea6951ac2dc93e7d7f8d240a80be0a85bec
Formbook
db0f9627eb6f6d633f7211ce94d2ab53277140634443909f78b96a7b18c48b9e
Formbook
dc46b790c20e5077fc05879616e9d87acfdec0b4d2e2d9e82e5ce666487fdfaf
Formbook
dddd9cd5cd6589c82939b6cb4d6b86c4f8f9be9b68d03a05bc1d00a048127d22
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241007-e234wswanq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/166004a8-c2f4-4376-a08d-be4ad3064bd0
Unpacked files
SH256 hash:
698769aaa068e72a34d91c18e166b4bde3f47a94881e3d516a1042d3700c3584
MD5 hash:
82930794435fbc22f335e38c3d4e556a
SHA1 hash:
04d279570df97b269459eab2fab9828d863d6856
Link:
https://www.unpac.me/results/cf64d252-ec3d-493c-b69c-64e38c483ad2/
SH256 hash:
615bcb64e5aaf0acde20ad2e8d7c3070d54d3893046ec4bd7266c4e4c0368f86
MD5 hash:
4ca79a7e1cf673b86fdd3631698b5caa
SHA1 hash:
8c5d3b24957c35b9560f84a0a85a7a8af3ba85b4
Link:
https://www.unpac.me/results/cf64d252-ec3d-493c-b69c-64e38c483ad2/
SH256 hash:
fa9779f22ded812d7f34a6868241498d365c0cf9c323a09391178dbd9f720ce7
MD5 hash:
7fe750f3343a1970e071373add946f2b
SHA1 hash:
fe9a6cfc103b32b7485533310b615292c1e0ed3e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/cf64d252-ec3d-493c-b69c-64e38c483ad2/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/cf64d252-ec3d-493c-b69c-64e38c483ad2/
SH256 hash:
cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
MD5 hash:
3aa5992e9a518e4d1a7042a16b10e31d
SHA1 hash:
5bce77192abbf2a71a2b19d6b00f08685f569b64
Link:
https://www.unpac.me/results/cf64d252-ec3d-493c-b69c-64e38c483ad2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfad352d8c9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments