MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9
SHA3-384 hash:	8df6269a3197be56f6a44e2fcca23e4a64039eb320527e8a8b21346d8d39d354604a892f26c4d90adb69fc2729b3c798
SHA1 hash:	6fd11703332d21d5e3688d8fa578e4c30310751e
MD5 hash:	a65c013df5641a4a2a396c5e814299cf
humanhash:	seventeen-asparagus-utah-delta
File name:	SecuriteInfo.com.Win32.CrypterX-gen.3277.7822
Download:	download sample
Signature	Formbook Create hunting rule
File size:	673'280 bytes
First seen:	2024-05-28 08:24:46 UTC
Last seen:	2024-05-29 14:49:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:EY8xaUC8AfFxpLUGZLlO2Xc323QiLv7qQqRGUUR0gu7LOyzYau1:QaZxfffLI32AiLv2QeGUUSXSyzlu1
TLSH	T1D4E42302EAB40735C0725FFE464198000BFA954694B1D3B9BCD29CE6DED9B3CBD8196B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9.exe

Verdict:

Malicious activity

Analysis date:

2024-05-28 08:25:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/730bacf8-b638-4763-8043-e01c840c0afb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.3277.7822.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=665594eb3d0e5a324e76535dwin7simulatehigh_evasion

Tags:

Generic Static Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/665594e232eca5b280005b6e/reports/76c3f959-f575-4652-aa72-d3319b9de3f9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f700ab4f-ec4f-41c4-be23-c9a17b202b83

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1448444

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2024-05-28 06:21:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2j5yjijzgsl5l4nb22tsad7x6jiizpupwxf4jprbtzq6aofmeg4q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240528-ka911sce4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f83adbe3-681f-4c85-a2e3-f516899b0f6f

Unpacked files

SH256 hash:

7fb8eb22fd7da53800f5f0067bbfef3f4cced07ca6d741469444748786b1cb96

MD5 hash:

f3a55e94c6e6a0b6e75c173f63f98239

SHA1 hash:

4fdd9c4c40b9d47fe9a375a378b820cff83c7ced

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

9616e39aafc254e340412f7076d1354e48f10a141096e8fbd3a960b7fade3e3a

MD5 hash:

5b235a7e3918b1c59f5f37c9492328a7

SHA1 hash:

8b8d53b8b2bba64035f79f3214b763eb3ab0e9df

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

73113abdadefd54e02f0d3f3aec21c31e96b315dc2ad6ae7d725cd5197e97c48

MD5 hash:

ae27d0d76e10c13d9dc0ad2a6b147756

SHA1 hash:

f1a4bc030b4476ac1450cc797213e34f567dd434

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

9ca19dfb4e900f0f08bb644111a73553b0c79652defe6c29eb4f2bfc87e231ca

MD5 hash:

c727dd7bb64665b262e5a1dc6e008770

SHA1 hash:

27e3e26109f51b8a6d84dc493856ac73538cfbc0

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

e823ebc0bf3d4caa2b556e6725554826134980a0436e973b4840f43f91b06e1c

MD5 hash:

10ce6543dee310d50e2de21a15edc673

SHA1 hash:

043e53ea08c5db1a43a2b92555e32a44206fe159

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

f332784ebe502c3773fb870ae8fc0eb4557144680d59b18e571bfeccac1e62cc

MD5 hash:

a99841d30b01f507b4e04ec45c868fb5

SHA1 hash:

03182f01016209c65607eaabea91b7c765f36a81

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

SH256 hash:

d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9

MD5 hash:

a65c013df5641a4a2a396c5e814299cf

SHA1 hash:

6fd11703332d21d5e3688d8fa578e4c30310751e

Link:

https://www.unpac.me/results/29721740-f3a9-4e8a-8296-0cbe428bc8cb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d27b84a13934/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample