MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
SHA3-384 hash: 43adf6ef82ea4c75081ddabfd8cd8c5f4ce79dbd6c0f4914c76308ad48ef43e087df02cb39c94f688c635d33d79cbe08
SHA1 hash: 7239f72754f5065856986cf34a1effb8272fcfa2
MD5 hash: c738a99030359d30d4a7323206e9c5ca
humanhash: georgia-march-sodium-failed
File name:UPDATED SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:662'016 bytes
First seen:2023-06-18 14:54:14 UTC
Last seen:2023-06-26 08:02:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:i5LbzIu9+r9GL+QInjg9nFFxh1GLE+E10u7NJ1/W9FQpEp6x0uDapjA7:i5LA9mInM9FFn4Lq100KHs0V+
TLSH T14CE42396671B8B13C09707FADD20A930D3BF12E23426D7934D8BB6EE4B56F110964D93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
278
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPDATED SOA.exe
Verdict:
No threats detected
Analysis date:
2023-06-18 14:57:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7002865-5d96-4664-81fe-3c5c3d6b1d67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400184/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67549102.4075.17728.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/648f1ac75e997e92b3a2b2aa/reports/5ae9ba70-8b69-4af6-bc8c-f1305f054066/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/045e9cc2-8963-4918-81f1-b68ee3297aa2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1256873
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 06:55:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2u4ssub7lwldf4qvz4sjqoyle4apcdnwgqtfxtx6ftmputx26l3q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230618-sae5msfh78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
63bf875417a4d14485debe930a5948b79f02b45bd9669c530e717d929bb8da99
MD5 hash:
f927688f7160b7a62052b1d3ff01d77c
SHA1 hash:
bb0924d0778ae7ca1992c3fedbc4f3a6301584cf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
Parent samples :
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
ed570698ccddfc346f65b5b86045d8af239e0d2400acd5836818b95e7b658cff
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
b45f9e29351506203a4101b1559e928ec3de39850008d82598b8ce1c3a7a13c3
117657ffb63ef0b6355173babb3e4fd141dc8be775e2ef30c23953b6396f4f45
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
SH256 hash:
f01a6fc735878ac63e8b5585179a21b4dea5d15b5c679ac90cbab1a9d36958cf
MD5 hash:
3532237c1316ef2cc8a39372a6b5f72c
SHA1 hash:
5cf317deeff0ce552c933c7d4e44ef3f5bd7746e
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
SH256 hash:
273e12d42a1e8391ba85bdf77d2110c98bc826072f77765cd4bee4bbe31d99bb
MD5 hash:
f611ccc62a42ad302c56b1b54916034d
SHA1 hash:
6407415b7c5fce5146cde2b44641ca9486c10221
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
SH256 hash:
2e6124f5c7e6493d08a2c1a703d8ad46b5adcef587fd0fbfeaa887a872eef9a6
MD5 hash:
9b90f930d8dff4d79913225052d083e8
SHA1 hash:
5617099bdcfb64b4c583b1b1f3c9eb6f7f7b8ce0
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
SH256 hash:
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
MD5 hash:
c738a99030359d30d4a7323206e9c5ca
SHA1 hash:
7239f72754f5065856986cf34a1effb8272fcfa2
Link:
https://www.unpac.me/results/5c1b9685-28b4-4d88-9ef1-c99f108046f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400184/

Comments