MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5
SHA3-384 hash:	761b8d186ba8d025da12eb8163baf7a3b4e31ede1666d04c0a95314286145c2546840c901f0f21e15cd7ab44bbe159f3
SHA1 hash:	db467afbbec5653ae0e4ace3715a7f5472443d9f
MD5 hash:	0ae4399a1f11153e998b027e4638166a
humanhash:	louisiana-timing-speaker-neptune
File name:	0ae4399a1f11153e998b027e4638166a.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	707'072 bytes
First seen:	2023-08-10 06:20:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:5wCNEGGTIYlV2UwpImgRLY7Nc2mwGn6gCaeDXUPUvAEH39U3W6:vqxIYlVNwUV12mxnDCaLoAIUl
Threatray	3'752 similar samples on MalwareBazaar
TLSH	T1FBE402F9A2EB9D34D3B85432D6A6242C1332E20B5477F31F111811D6962AFC973A67CB
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e096962b2b9696e8 (16 x AgentTesla, 4 x Formbook, 2 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0ae4399a1f11153e998b027e4638166a.exe

Verdict:

No threats detected

Analysis date:

2023-08-10 06:25:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f9cb80fc-9fed-4f5a-a29a-72ed823a0696

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/441869/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/64d481d2a5c3e653be16633c/reports/944ff01b-380b-4cf5-a35d-32784284cae8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/051899d4-c247-4758-88fc-3c55fa1e99f7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1289187

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected FormBook malware

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Steal Google chrome login data

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2023-08-09 20:51:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ofgu35o5syngc4ntkgyk7ufb4prexobz67es6ezxvjgsveyx32q._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Formbook

11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42

Formbook

154da40b848da265e6339dc5773113f75d1b7922b1273a9e6ee6782e33b6b6e4

Formbook

8a5eebc7b8520bde5c361db7249fe0d5286e9074dc7e0bfc555f3f2a1166bb2a

Formbook

90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759

Formbook

913a34a614a8170d51732f1deeef2445864b9c2e0d69ecdc12dd6db8923021ce

Formbook

b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe

Formbook

e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500

Formbook

f740610774f6f97c82a45cdb50f0bec8f98e4e7dc7d26d9ab097c35b3a92bee6

Formbook

+ 3'742 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:fd62 rat spyware stealer trojan

Link:

https://tria.ge/reports/230810-g4cqtsae56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

687c4e45e5982b8eeb6cb000873520718e01fe0074afd1161c0cdd88d25f82d4

MD5 hash:

98ad3d5e6d1e51f897074a078d47aa5a

SHA1 hash:

36db57c741b3aecddb0bad18e0724ed7dd05a675

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/0a9ab47f-cfb4-4a63-b10a-7918e56d3bd9/

Parent samples :

e5854984cb78e5ce4bcc31263e290d895b3de4660e87e0f5af115cb9b60b5500
63b0410652da12f415ba3be83cda769bd268b83000c425f666fbefb4fddbf3be
d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5
344b3c764a7075a0cdc2a9cd3f390c6b195fc0601077f68db9e8678a27c0c204

SH256 hash:

504410fd6158a7346f5a2e7b7714203b329d46dab5d129719410d5c325122804

MD5 hash:

74ed681a2d7aed1dae5627d4367474f8

SHA1 hash:

cad2df636d3f0710f69fdb18cbae03a332341dd3

Link:

https://www.unpac.me/results/0a9ab47f-cfb4-4a63-b10a-7918e56d3bd9/

SH256 hash:

4a48b3abed53d8285073f3bb2258041767cae4d08dcdefccc2634d6e3185bd48

MD5 hash:

7400cd2388a54242a3f1a694dfdcc943

SHA1 hash:

bff11d5b59864aa6217a38cafac385d288e21b5b

Link:

https://www.unpac.me/results/0a9ab47f-cfb4-4a63-b10a-7918e56d3bd9/

SH256 hash:

8973ec20883b3d45af6c843de26bd764bb3ca9346ffe2def89942b1a973f16f0

MD5 hash:

67cda3ec4bee9bf8bb35ea857ac9a5d1

SHA1 hash:

6ca5037103de3a0d69b07610cdb9a4f7ed70c643

Link:

https://www.unpac.me/results/0a9ab47f-cfb4-4a63-b10a-7918e56d3bd9/

SH256 hash:

d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5

MD5 hash:

0ae4399a1f11153e998b027e4638166a

SHA1 hash:

db467afbbec5653ae0e4ace3715a7f5472443d9f

Link:

https://www.unpac.me/results/0a9ab47f-cfb4-4a63-b10a-7918e56d3bd9/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d38a6a6faeec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe d38a6a6faeecb0d30b8d9a8d857e850f1f125dc1cfbe497899bd52695498bef5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2696868/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/441869/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample