MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05
SHA3-384 hash:	98e9be4d81b9863aa2d7301d9724dbeadc3f82d8b23a37d8a7be3c8159cf8818d662716ec48ac75638d93b4e2f1f2dc6
SHA1 hash:	fd556a381003c7191efccff11c3dff86641a1a02
MD5 hash:	5bf675183f7d1e7dad9cffb538329fcb
humanhash:	eleven-louisiana-william-coffee
File name:	r0105-12132023DEC.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	684'544 bytes
First seen:	2023-12-13 20:24:19 UTC
Last seen:	2023-12-13 22:19:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:vEfJI6Gy+YYUBYcyWnf7qNIRJVbvP0/IdURkSYzmF+T2PqYuEj3O:8oYnC72uNIjBvRWRIJiPqYx3
TLSH	T130E423141AA48236C2FA09393EB3C1125770CA21A713EB4B4C87B9DF94777BB6783756
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	cc0f3355332b17cc (12 x AgentTesla, 6 x Formbook)
Reporter	FXOLabs
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

3

# of downloads :

426

Origin country :

BR

Vendor Threat Intelligence

CAPE Sandbox Formbook

Detection:

Formbook

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/467324/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Inject4.59820.24294.5527.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Launching a process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

89%

Tags:

packed

Link:

https://www.filescan.io/uploads/657a132247603edff3356316/reports/c5261277-dabe-44f1-bfd4-add2c84d64c6/overview

Hybrid Analysis Win/malicious_confidence_90%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/31037168-7e74-4756-9032-8823baa5e7bd

Joe Sandbox FormBook

Result

Threat name:

FormBook

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361733

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

99%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-13 14:27:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

9

AV detection:

17 of 23 (73.91%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2bo7f4irnvkjxbgpnkruifcw7ga4ntdxavdheoa6aemodhgurqcq._file

Threatray malicious

Verdict:

malicious

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/231213-y69xsaaef6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

UnpacMe 6

Unpacked files

SH256 hash:

96adebe2d3724b09c5f8d594729bbf9b084d9b6dff3398c5e1c7d79d0ca642e3

MD5 hash:

66177a12d0bc968626c1716133a08e46

SHA1 hash:

df395156d246854650801b46607b4a1b2ba47721

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

SH256 hash:

a0f01eaf0772e8a22deec7deaffe23c78790261a8e917005e7796e12f4b89b6d

MD5 hash:

2d194f56ed6fd1e15d977f873b63df83

SHA1 hash:

adf44b215e43477d8e70b942c528a83df3837c7b

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

SH256 hash:

3f796fd1ccc930576da3852426204df4a11e7eb965104ccef7b972807b00c43d

MD5 hash:

6bed625638d94a94a4b3b72b86df7048

SHA1 hash:

6aa49fc40d8db7bd8724e6ac77482fa753b349e0

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

SH256 hash:

48797b08de8adeb2511d412949bfe9cb5a55e8dca421617a187378f3c7beadb1

MD5 hash:

5022b3b5cd885d96f54b40d1c274edb6

SHA1 hash:

06eb8849b821af26a9a59f18f9bec2ce5726e843

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

SH256 hash:

d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05

MD5 hash:

5bf675183f7d1e7dad9cffb538329fcb

SHA1 hash:

fd556a381003c7191efccff11c3dff86641a1a02

Link:

https://www.unpac.me/results/0aa614ae-8f9a-4b4a-a8cb-064c387575ac/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d05df2f1116d/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe d05df2f1116d549b84cf6aa3441456f981c6cc77054672381e0118e19cd48c05

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/467324/