MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d14a33d70b8d8be176eaf739c6c51a2835a2856f446b975b5d13727a925e1738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	d14a33d70b8d8be176eaf739c6c51a2835a2856f446b975b5d13727a925e1738
SHA3-384 hash:	dedab6c274759fc39dd1f63f62cfc2a5fac22201aa363ab73288a4a34afbbcd668477b4f9b5e459dc04c1efae2837723
SHA1 hash:	c62aaa57a9409fe9c6390f4d8b52d32089b2845f
MD5 hash:	85908711708740b21e3fb02dbeffc664
humanhash:	moon-india-north-orange
File name:	SecuriteInfo.com.MSIL.GenKryptik.GFFG.tr.16214.23432
Download:	download sample
Signature	Formbook Create hunting rule
File size:	697'344 bytes
First seen:	2023-02-01 04:27:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:/mVVAH/RbmdGXvlePdiceoHr4WqFGSiUNIcuVUG+BTfhst/ERC5z:/mLAZy6teF5jgIcSeTpst/FV
TLSH	T1FCE4F14CA2FA9E0ACAFD1BB69871282013B3B8556136D35E0FCD24DA1F67BC49501F67
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8219e62b2bc61982 (10 x AgentTesla, 4 x Formbook, 3 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.MSIL.GenKryptik.GFFG.tr.16214.23432

Verdict:

Malicious activity

Analysis date:

2023-02-01 04:30:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/671c2929-2d19-4868-a99e-cefc8f3279fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/358842/

Detection(s):

SecuriteInfo.com.MSIL.GenKryptik.GFFG.tr.16214.23432.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/63d9ea54696b2d97257508a4/reports/0469b283-bf1b-4f22-9558-a8abe81fd8ee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/588d45f4-a986-48b7-88ef-f77c899acbd7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1162882

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d14a33d70b8d8be176eaf739c6c51a2835a2856f446b975b5d13727a925e1738/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-01 02:28:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ffdhvylrwf6c5xk6444nri2fa22fblpirvzow25cnzhves6c44a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230201-e3n2csdg4s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6f21d46bc9ef68041d0b0ec89b878cae1e5b996988f5b367d54c46e00e782ef3

MD5 hash:

b23ff9e28cdfc56d60a68f42b346fc05

SHA1 hash:

e4eb037c7732ab9b73d59b66274816ae605dc3ee

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

Parent samples :

9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
72fe4875ce631d4f955e3a88d502b931acffc323576cf4a962e39ac9a0136204
2451cd26906f3fd1186b6b958557c185e3554f76ec248d8ea944e6c7cc70443f
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176

SH256 hash:

0d69ffb6d71bb73cb201c5d720e706020ecf8128b75a75df62b114a3a99709f1

MD5 hash:

dac31c8bc4e4a583f6571778e0cf57e9

SHA1 hash:

1a104ea41ecf0459fb8f5878182b5b1e48c4897d

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

SH256 hash:

178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad

MD5 hash:

159af9cf7f94d64c8120c80268965306

SHA1 hash:

fb41ab37af2c83e96d97e9cd066f90e72d4887ea

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

SH256 hash:

1a034eaf0990194b179d90cb8c68a253b0e8972b463a794eee8986545f1fa9c9

MD5 hash:

02ebe37a68c96ba6e2a7a4195e558e31

SHA1 hash:

e6642ca708793d8474192790440265b304f63f54

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

SH256 hash:

6b80277ddec02f1a4f096527fd2f9f994cb2603acb2e33e21f54f18b7c288f4e

MD5 hash:

b29d44f46da2b92571f224a54cde3efc

SHA1 hash:

d88f41c317b7cc158adcf5f37a673eb3394d95a4

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

SH256 hash:

54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8

MD5 hash:

4f6caebd865502f7c8046fbae3284c61

SHA1 hash:

be357e832bf6f61454875b37a1759cf1c5fa5ca4

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

SH256 hash:

d14a33d70b8d8be176eaf739c6c51a2835a2856f446b975b5d13727a925e1738

MD5 hash:

85908711708740b21e3fb02dbeffc664

SHA1 hash:

c62aaa57a9409fe9c6390f4d8b52d32089b2845f

Link:

https://www.unpac.me/results/8c8e315e-aebe-4dfa-89c0-93cf324f30e3/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d14a33d70b8d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/d14a33d70b8d8be176eaf739c6c51a2835a2856f446b975b5d13727a925e1738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/358842/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample