MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755
SHA3-384 hash: 2cc7c5151b7d2816e63638aeda79904085b7d928bc68bb1485fe14495d1e5dde8507debac588857e0491111f68988b27
SHA1 hash: 53424ccf1bdef34cb2c74c5e3478516d7e0075e2
MD5 hash: 2e84d5556bb37fcecb8cf7942a70606a
humanhash: queen-may-speaker-arizona
File name:2e84d5556bb37fcecb8cf7942a70606a
Download: download sample
Signature Formbook
Create hunting rule
File size:622'592 bytes
First seen:2023-05-17 15:51:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uYVv532KuWoDXxF7xvx0Vetn+pvlyCOBonhaqKfMX:l4r3Bjp6vQ94AM
Threatray 2'913 similar samples on MalwareBazaar
TLSH T1BAD4E031609E46D0E02FCBF065B8FD72033134F3EAD9D9350B66A1C4CE6AF542E9895A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
047fef24cc2235db39d3eb1551be28bf
Verdict:
Malicious activity
Analysis date:
2023-05-17 12:48:02 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/c9b14d21-89d2-420b-b9d3-9d0aea2d52fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390759/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33744342.13896.11509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6464f8233e79001b02c99c6b/reports/0f47f517-eec0-4cf6-ae59-2b5f40b55cfb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eba11083-ae04-4e9c-8c46-37a5577eb037
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235447
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 868444 Sample: eI1ENCmL49.exe Startdate: 17/05/2023 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 7 eI1ENCmL49.exe 7 2->7         started        11 KpqaOegVGlr.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\KpqaOegVGlr.exe, PE32 7->31 dropped 33 C:\Users\...\KpqaOegVGlr.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE980.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\eI1ENCmL49.exe.log, ASCII 7->37 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 eI1ENCmL49.exe 7->17         started        19 eI1ENCmL49.exe 7->19         started        51 Multi AV Scanner detection for dropped file 11->51 53 Machine Learning detection for dropped file 11->53 21 schtasks.exe 1 11->21         started        23 KpqaOegVGlr.exe 11->23         started        signatures5 process6 process7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 21->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 14:31:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 35 (62.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uwuweub6oy5iqkivnjvg7f54rg7qmv4skrrbs64fnhvg4gba5kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
4c8180c106fdf8c5c144e85b22eae0ce157372378310a1b7252326e6521a1b2c
Formbook
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
Formbook
cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
Formbook
ef201fa6a83547a8b5a1514e948d4208ee20bd4d37c1fe57d81bb1c2dfb1caf5
Formbook
fc52523013f9198bf95daa7b6f6a597b518273b54c50635784deee1e3c9dd991
Formbook
+ 2'903 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230517-ta2t3sff59/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
d782b5eba7b50b16aca19c7ab9ad839d933420e0829b5c3024aa24c7548559eb
MD5 hash:
a62b3069eb4ce9747811fea43d924ff6
SHA1 hash:
b2451576fa84418588c9ba22e3d2db2d00582911
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
SH256 hash:
7b6ec57c723bb990f96db30be9bd6eefe5762a4052365b147a663af1093d7fab
MD5 hash:
d567614bc88e595c10bfa0ba4a691d06
SHA1 hash:
5c33db3fa317c711cc8da81df8f188519e956b49
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
SH256 hash:
2d7ca730b4f0048b42502805d3639547ff50d9ac1ca86f10d36fffd71bb92b43
MD5 hash:
9e3f269b3b08f1d048c96bdd7bef4647
SHA1 hash:
ecea6febfcd844a9e71b4b8aea209c0fb237df78
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
SH256 hash:
1c63420fa5082b04a0e5cf54520c481655d7e315712527fd34e172d052c1b63d
MD5 hash:
e0a2d76d84511ccb7171987dbab4394e
SHA1 hash:
1ca6fc567a75c88f8a93ab6f3a6b31050ff25df9
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
SH256 hash:
d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755
MD5 hash:
2e84d5556bb37fcecb8cf7942a70606a
SHA1 hash:
53424ccf1bdef34cb2c74c5e3478516d7e0075e2
Link:
https://www.unpac.me/results/e4d5b4ae-ac33-4f8a-9dc8-4e25229362b7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d52d4b1281f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2635984/
Cape
Cape
https://www.capesandbox.com/analysis/390759/

Comments


Avatar
zbet commented on 2023-05-17 15:51:18 UTC

url : hxxp://195.201.147.116/422/vbc.exe