MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
SHA3-384 hash: 19fc596b8d3aec282debd6e4a0726f134f8b9121cf906eb34b11e6064535ae71ab939fb58aee9090030ec7eb0aa6a929
SHA1 hash: 38cb4ce90e7e19bb42f3fb6d48e69d02db891ec1
MD5 hash: 912b66f6aeee60ff00e90b9d267529b3
humanhash: charlie-florida-whiskey-lion
File name:SCAN 000090499000045739.IMG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'137'664 bytes
First seen:2023-03-10 07:08:59 UTC
Last seen:2023-03-10 08:31:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:3uOZ6wGkB+e9uf8mSiEPQ3h5oPIpYAMYDkX94bMtP9DGfO:SYQ38+Y72O94bu9GO
Threatray 2'341 similar samples on MalwareBazaar
TLSH T17D355B92E9995D5FE613CB3A5333580D21671D25F23DACE62C78F1A62AF26830721C37
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SCAN 000090499000045739.IMG.exe
Verdict:
Malicious activity
Analysis date:
2023-03-10 07:10:57 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/fe70fcc4-10cb-4953-8acb-1d6fda9dffb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373229/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65851788.31601.22619.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/640ad78f7975027880144487/reports/eba6b88f-8c1c-4877-adef-688e48d0e3c7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e5a1af3-14c7-4b6d-96b8-12dbe39c313d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190946
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823820 Sample: SCAN_000090499000045739.IMG.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 100 74 Malicious sample detected (through community Yara rule) 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 10 SCAN_000090499000045739.IMG.exe 7 2->10         started        14 lSKfiPQsNNpnoZ.exe 5 2->14         started        process3 file4 52 C:\Users\user\AppData\...\lSKfiPQsNNpnoZ.exe, PE32 10->52 dropped 54 C:\...\lSKfiPQsNNpnoZ.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\Temp\tmp552.tmp, XML 10->56 dropped 58 C:\...\SCAN_000090499000045739.IMG.exe.log, ASCII 10->58 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 90 Adds a directory exclusion to Windows Defender 10->90 92 Tries to detect virtualization through RDTSC time measurements 10->92 16 SCAN_000090499000045739.IMG.exe 10->16         started        19 powershell.exe 20 10->19         started        21 schtasks.exe 1 10->21         started        27 2 other processes 10->27 94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 98 Injects a PE file into a foreign processes 14->98 23 lSKfiPQsNNpnoZ.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 16->66 68 Maps a DLL or memory area into another process 16->68 70 Sample uses process hollowing technique 16->70 72 Queues an APC in another process (thread injection) 16->72 29 explorer.exe 3 1 16->29 injected 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 25->37         started        process8 dnsIp9 60 www.ns9x.xyz 29->60 62 www.eldritchventures.net 29->62 64 eldritchventures.net 34.102.136.180, 49723, 80 GOOGLEUS United States 29->64 100 System process connects to network (likely due to code injection or exploit) 29->100 102 Performs DNS queries to domains with low reputation 29->102 39 msiexec.exe 29->39         started        42 systray.exe 29->42         started        44 autoconv.exe 29->44         started        46 autoconv.exe 29->46         started        signatures10 process11 signatures12 82 Modifies the context of a thread in another process (thread injection) 39->82 84 Maps a DLL or memory area into another process 39->84 48 cmd.exe 1 39->48         started        86 Tries to detect virtualization through RDTSC time measurements 42->86 process13 process14 50 conhost.exe 48->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 14:00:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2x7j5q2hrx6glikn5uokh2oo2nqwc6qil3dmhwq33g44yaedkepq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a5a2cf364aca0c9dcf7b760be3c8e9cff4f5ee3b3d1571a94d5f149e81a37d1
Formbook
4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552
Formbook
520332210fa79a3628b8a514f18ba872117489cb013809161629d1443d8ae800
Formbook
628aa31e938f6407d365b1c833953f4d5b696c08c55b2b9905e2ab6dd724039b
Formbook
8510156c681956fa592f4e2f346a7cd02ce7a00a31264dc2106e6e0b5a4b267b
Formbook
8848260baf85d9da96dcabdb756b5ac0fd6449361ad497d6e68a81cfe8565aad
Formbook
8dbb132dccc8fb8a83062fec3840b1556a75862c07d22a0740ca095698ed0f6d
Formbook
92f0746ddd0eeb0811fa39cf23258b669f3e9b422edc48057971ec94002fa9cb
Formbook
9bdc185c4c52ab97921a7d99b7bfe6e22ac5be828d999b19e41983b3c79af0c9
Formbook
af2338dccdb59d40b3e6fbde008f3fad793ae9910fc3f2210bf6e9a311bd8044
Formbook
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bpnw rat spyware stealer trojan
Link:
https://tria.ge/reports/230310-hysersdg6w/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
fd78f3431f6f17eaf953c0d551df5beeaea5ded90208d9a1da069d205df47369
MD5 hash:
766a56e4810ef3e31cad700350964d54
SHA1 hash:
091387174081761dc5fe88fa5285f97f68705601
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
Parent samples :
3f0c02a6aba9a637ccbc0e9f3ba35e50ef50d89827d804c163a77fa4e027b583
d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
34c2526748f1214c70cbefa7e45e067e86e78c79759cafa9fdf1082795ed92bb
SH256 hash:
43e1de9567843efb2d23a1ad0af74047f8ffb18aace27e1b1ee53c52c98aa183
MD5 hash:
f39d5fae7651d21d81f5c1e5a016f713
SHA1 hash:
c8a642d2a0a1ae8445972454f431a882ae592b0f
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
SH256 hash:
57c9f486be687ebc08a756e5fd750fc63f3f3b8892b46508589ecfd2b69c9eca
MD5 hash:
cd7051e0594ee4d89521baffc7693b41
SHA1 hash:
9b7ee6f1bc68f29807b96c7487b12c751cff427b
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
SH256 hash:
a92eb76df50d3f1a003c2755a61de0e59e72d242dc84fad56bc9c4a35d1d288d
MD5 hash:
465848da7b60c9316f858e568f0dcd35
SHA1 hash:
1d6b1448968f4c77b9b9eb72c0688e3bcf88262b
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
SH256 hash:
d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
MD5 hash:
912b66f6aeee60ff00e90b9d267529b3
SHA1 hash:
38cb4ce90e7e19bb42f3fb6d48e69d02db891ec1
Link:
https://www.unpac.me/results/c2392063-cdec-4030-b2cb-d842de0159f6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5fe9ec3478d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373229/

Comments