MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19e08bdd5dac3cfb348943badc76d93a0deec02208cb5da668a207ccb0d7cd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	d19e08bdd5dac3cfb348943badc76d93a0deec02208cb5da668a207ccb0d7cd1
SHA3-384 hash:	5a29fb81f108a4dfacae2c817e7f66d727bb2b9c238a7a65b37c19556cc603ee4fdec051dfb8995ddfc6ec5ce9453b9b
SHA1 hash:	512ef276fa039e554b982b0e9538e18d56716f02
MD5 hash:	481c2d5d07540805adc87546f3bc86d2
humanhash:	wolfram-saturn-georgia-tennessee
File name:	PennyWise.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	112'640 bytes
First seen:	2022-05-13 22:20:20 UTC
Last seen:	2022-05-13 22:36:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:Vk12YEafHdut2CIuIHoyqxh9Cz9+zGD5/eiG4OS:VkFz/b0ps91xo4O
Threatray	13 similar samples on MalwareBazaar
TLSH	T1C1B306FE738ABD92D5EC9B78A4A2100E1B75C217EC12E39ECDF364E411763C9D641982
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/270524/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a window

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/627ed9d37804b2efc4937558/reports/22517588-1c02-4722-9f5a-ff1938e05abd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6a12e5c-31a3-42bc-9646-7649e866f51a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/993924

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d19e08bdd5dac3cfb348943badc76d93a0deec02208cb5da668a207ccb0d7cd1/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-05-13 22:19:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 41 (39.02%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2gparpov3lb47m2isq523r3nsoqn53acecgllwtgriqhzsynptiq._file

Verdict:

malicious

Formbook

a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9

Formbook

b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3

Formbook

cc6c4cd27c628048d24a8292860cbbcf1269415aaee1366edf99a34ae7933cbb

Formbook

cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722

Formbook

d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

Formbook

+ 3 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220513-19mb1aehfp/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Gathering data

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d19e08bdd5da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/d19e08bdd5dac3cfb348943badc76d93a0deec02208cb5da668a207ccb0d7cd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/270524/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample