MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b
SHA3-384 hash: 1e6d1836b410a045ae2b5093260b1826c5be3cc5b22ae8df5fc17c03c25f4f1634d89f1a8c924427913243aa234fdbf1
SHA1 hash: faf0dbae07381ec6ee629771bb1cd2c7032f1110
MD5 hash: 4259edd21474a3980ac3bdd0ae948168
humanhash: echo-minnesota-wyoming-steak
File name:SecuriteInfo.com.W32.AIDetectNet.01.20530.13443
Download: download sample
Signature Formbook
Create hunting rule
File size:763'904 bytes
First seen:2022-05-26 02:34:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:zMePPOEBwbZbHo36sJ9jcnvdxLa7RwekK7Xn7VnFYIZ756eHPdex6N2I/OA+uz:zMeP54ZbHoTJCVxLSk4XZn+IZV6asO2c
Threatray 12'924 similar samples on MalwareBazaar
TLSH T173F4013422D80715E6FF0FB9D4AD340C077A6E4A6112D64EDE8DB7F918F27824E22A57
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.20530.13443
Verdict:
Malicious activity
Analysis date:
2022-05-26 02:36:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/517753e4-e775-4c36-bac1-2fcb3c2470d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274641/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.20530.13443.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628ee75b054dcf0ecaef68dc/reports/898b233a-4609-469c-b469-d4983bc87488/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/384db01b-25ba-4e92-b868-1c6a822dbb6c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001935
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 02:35:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xboeszke6ucf7l2eyi34hwwjwviatvldamviybqcqkapyuosqnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
20270f15d9070f9c2b1d22f0bf2f77ca5ca3dbcf6ccc148b8383a947eb6ebcd5
Formbook
5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
Formbook
7b3ac209ae00cd1fdb297032b35d2d0b1c0e1e66d95b1c90045e44c223232c93
Formbook
be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
Formbook
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
Formbook
db440e46563f70af514f9705f188cb3c334c64a206895da47f92ef34bbb0dd4a
Formbook
+ 12'914 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s0w6 rat spyware stealer trojan
Link:
https://tria.ge/reports/220526-c21mnaffe9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
1b88ec07e7a1bc2c9413e31fca6a15931e1bff65c7e296ad187c3104dd4fac30
MD5 hash:
49d653596027e9fcb0364237bc656096
SHA1 hash:
50ad71926c6266a6c6a5541aea118f3d04c1d41b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/02311ab4-5257-4a34-ba68-02e4dd91ac4b/
Parent samples :
b4a65b2daf7061d116c2bdd500a40376e170efea89a6b0cb4c68d63606a8e107
d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b
94a55907591211a457315f3b73162da7bbd3f94d231d23e05d5fca4e158cfb64
SH256 hash:
abeac993d62ad5bc0d261e17a4b74057739afa386289485f22bde1d72933b8f8
MD5 hash:
6e57cf24c8fcdfc15b8a0422f9ff0863
SHA1 hash:
babe6d313139de16d825c203f463e08501812801
Link:
https://www.unpac.me/results/02311ab4-5257-4a34-ba68-02e4dd91ac4b/
SH256 hash:
9625679c4de553048c0b40ae6a41e2d6cd105f31108d7aa0e77fe609700f7f7b
MD5 hash:
b01abdfebb3cc01d96c03e31307937a7
SHA1 hash:
5540ad5a2d62dbcbe44facd081598e4dcd91256a
Link:
https://www.unpac.me/results/02311ab4-5257-4a34-ba68-02e4dd91ac4b/
SH256 hash:
742bfb49cf3904931ce87b810106611867a6b4b7a8d69f308e21d9d221365b3d
MD5 hash:
81cf021b05eebb622775151dc87f2aa1
SHA1 hash:
480c103ac6e66fe00b488d286832dc89eee088a6
Link:
https://www.unpac.me/results/02311ab4-5257-4a34-ba68-02e4dd91ac4b/
SH256 hash:
d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b
MD5 hash:
4259edd21474a3980ac3bdd0ae948168
SHA1 hash:
faf0dbae07381ec6ee629771bb1cd2c7032f1110
Link:
https://www.unpac.me/results/02311ab4-5257-4a34-ba68-02e4dd91ac4b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5c2e24b2a27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5c2e24b2a27a822fd7a2611be1ed64daa804eab1819546030141407e28e941b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274641/

Comments