MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80
SHA3-384 hash:	d512ca82196605936ca14880333c93ccc0c1ad0eb9f3e6ee6539a0afb07d48485c1c4296a9d29964f00dc32f34ac7212
SHA1 hash:	13b662020711d130924b4d24f6a2ab22fc2e3b35
MD5 hash:	b0c0ca85b8c80b4c6df0b55f741b896e
humanhash:	east-quebec-hydrogen-magnesium
File name:	BNJKLP77.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	991'296 bytes
First seen:	2023-07-05 14:15:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:ok70Trcq4ATp80JLIqD2i7ydyb/JQKUoYZqtfswZ:okQTAqlKynmeQKUbZqtEk
Threatray	3'175 similar samples on MalwareBazaar
TLSH	T1ED25121575C1D533C873257249E1CB79AA3A706007B9D8C3BA9907E6BF603D2AB261CD
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BNJKLP77.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-05 14:17:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/70002969-a2fb-4e9d-8d3a-3bd9d62a8924

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/407798/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95647/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EnumerateProcesses

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/64a57b23302776c72e73b992/reports/75765829-fd00-4f95-84fa-a495515cfa73/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7432d45-591d-4603-a3cf-6e713f329847

Result

Threat name:

RedLine, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1267342

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-07-05 10:34:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wrdqztwdpxjfavemccpsfewbrdx6oekcwfr22oygxrhhfter2aa._file

Verdict:

malicious

Label(s):

formbook

Formbook

1b60de037862c81181d9068b63660bc31521b0f53a158bf62b05da36bfa92446

Formbook

7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a

Formbook

77133e6383dadf832cbb0e1add33a1aa440b7f280a69d65038323049d1a76bf4

Formbook

7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c

Formbook

a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75

Formbook

b036b3544f5ee91e85a53bc9f458f5c70792bc57b98d87beb8a350728ee012fd

Formbook

d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32

Formbook

f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841

Formbook

ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198

Formbook

+ 3'165 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230705-rk413sch54/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

ae3f54593cbc93582ec2668b1472171eee4b873dcdf2630e1d37d4e1aaf14fc6

MD5 hash:

34bd5672be95c61282f513af7d291980

SHA1 hash:

1167f3ff5ee042e9e8681b9144ee3b1bdead296b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

6d61af924260777c76dafc8725520ab5a4ef953aadfc85f585e1e0239761047b

MD5 hash:

5d57f726d6e3a45372ea387becb1539a

SHA1 hash:

25ab939522013dc1edbe5a5db7916759272e4898

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

5326f733b1670d9b8db5731a1e13089455047dc6a2bfe0f8fd36fc09c687c04e

MD5 hash:

038b2dd94b55dfc8af5929e103f7f881

SHA1 hash:

ee0bbdbe454c050269f5631cc29383b98c49bf08

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

a102d5470e4f6fd28543f5585f2d3a8b1209f73119ee8badb29682abf1308460

MD5 hash:

99f789a5128d5bbadfb5b35f430a57ee

SHA1 hash:

cb7b6cd32325e7280ad5699d1867ada49e6e622a

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f

MD5 hash:

7cc5c7a43fff3cbd3974b0ee63f3a9f4

SHA1 hash:

5c36c7251d43bde36253bba6c9908c2725cb7d60

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

ae3f54593cbc93582ec2668b1472171eee4b873dcdf2630e1d37d4e1aaf14fc6

MD5 hash:

34bd5672be95c61282f513af7d291980

SHA1 hash:

1167f3ff5ee042e9e8681b9144ee3b1bdead296b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

6d61af924260777c76dafc8725520ab5a4ef953aadfc85f585e1e0239761047b

MD5 hash:

5d57f726d6e3a45372ea387becb1539a

SHA1 hash:

25ab939522013dc1edbe5a5db7916759272e4898

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

5326f733b1670d9b8db5731a1e13089455047dc6a2bfe0f8fd36fc09c687c04e

MD5 hash:

038b2dd94b55dfc8af5929e103f7f881

SHA1 hash:

ee0bbdbe454c050269f5631cc29383b98c49bf08

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

a102d5470e4f6fd28543f5585f2d3a8b1209f73119ee8badb29682abf1308460

MD5 hash:

99f789a5128d5bbadfb5b35f430a57ee

SHA1 hash:

cb7b6cd32325e7280ad5699d1867ada49e6e622a

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f

MD5 hash:

7cc5c7a43fff3cbd3974b0ee63f3a9f4

SHA1 hash:

5c36c7251d43bde36253bba6c9908c2725cb7d60

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

ae3f54593cbc93582ec2668b1472171eee4b873dcdf2630e1d37d4e1aaf14fc6

MD5 hash:

34bd5672be95c61282f513af7d291980

SHA1 hash:

1167f3ff5ee042e9e8681b9144ee3b1bdead296b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

6d61af924260777c76dafc8725520ab5a4ef953aadfc85f585e1e0239761047b

MD5 hash:

5d57f726d6e3a45372ea387becb1539a

SHA1 hash:

25ab939522013dc1edbe5a5db7916759272e4898

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

5326f733b1670d9b8db5731a1e13089455047dc6a2bfe0f8fd36fc09c687c04e

MD5 hash:

038b2dd94b55dfc8af5929e103f7f881

SHA1 hash:

ee0bbdbe454c050269f5631cc29383b98c49bf08

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

a102d5470e4f6fd28543f5585f2d3a8b1209f73119ee8badb29682abf1308460

MD5 hash:

99f789a5128d5bbadfb5b35f430a57ee

SHA1 hash:

cb7b6cd32325e7280ad5699d1867ada49e6e622a

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f

MD5 hash:

7cc5c7a43fff3cbd3974b0ee63f3a9f4

SHA1 hash:

5c36c7251d43bde36253bba6c9908c2725cb7d60

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

ae3f54593cbc93582ec2668b1472171eee4b873dcdf2630e1d37d4e1aaf14fc6

MD5 hash:

34bd5672be95c61282f513af7d291980

SHA1 hash:

1167f3ff5ee042e9e8681b9144ee3b1bdead296b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

6d61af924260777c76dafc8725520ab5a4ef953aadfc85f585e1e0239761047b

MD5 hash:

5d57f726d6e3a45372ea387becb1539a

SHA1 hash:

25ab939522013dc1edbe5a5db7916759272e4898

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

5326f733b1670d9b8db5731a1e13089455047dc6a2bfe0f8fd36fc09c687c04e

MD5 hash:

038b2dd94b55dfc8af5929e103f7f881

SHA1 hash:

ee0bbdbe454c050269f5631cc29383b98c49bf08

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

a102d5470e4f6fd28543f5585f2d3a8b1209f73119ee8badb29682abf1308460

MD5 hash:

99f789a5128d5bbadfb5b35f430a57ee

SHA1 hash:

cb7b6cd32325e7280ad5699d1867ada49e6e622a

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f

MD5 hash:

7cc5c7a43fff3cbd3974b0ee63f3a9f4

SHA1 hash:

5c36c7251d43bde36253bba6c9908c2725cb7d60

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

ae3f54593cbc93582ec2668b1472171eee4b873dcdf2630e1d37d4e1aaf14fc6

MD5 hash:

34bd5672be95c61282f513af7d291980

SHA1 hash:

1167f3ff5ee042e9e8681b9144ee3b1bdead296b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

6d61af924260777c76dafc8725520ab5a4ef953aadfc85f585e1e0239761047b

MD5 hash:

5d57f726d6e3a45372ea387becb1539a

SHA1 hash:

25ab939522013dc1edbe5a5db7916759272e4898

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

5326f733b1670d9b8db5731a1e13089455047dc6a2bfe0f8fd36fc09c687c04e

MD5 hash:

038b2dd94b55dfc8af5929e103f7f881

SHA1 hash:

ee0bbdbe454c050269f5631cc29383b98c49bf08

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

a102d5470e4f6fd28543f5585f2d3a8b1209f73119ee8badb29682abf1308460

MD5 hash:

99f789a5128d5bbadfb5b35f430a57ee

SHA1 hash:

cb7b6cd32325e7280ad5699d1867ada49e6e622a

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

4699abd34e96393cbc87062501f05c59ce41b265ed9b8da2cf733d0aca87437f

MD5 hash:

7cc5c7a43fff3cbd3974b0ee63f3a9f4

SHA1 hash:

5c36c7251d43bde36253bba6c9908c2725cb7d60

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

SH256 hash:

d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80

MD5 hash:

b0c0ca85b8c80b4c6df0b55f741b896e

SHA1 hash:

13b662020711d130924b4d24f6a2ab22fc2e3b35

Link:

https://www.unpac.me/results/5108d2f7-d0b5-43f0-becc-ee1fe5a42f56/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d5a23866761b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5a23866761bee9282a46084f914960c477f388a158b1d69d835e27396648e80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/407798/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample