MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046
SHA3-384 hash:	6bb8d5cea65f0200dbfb052275841fcee4678ed376ca03128ce04ff2d54773a2806be57ce8c2036e9ad30b58bb50c31b
SHA1 hash:	f84ac56bd5206db6564ad31e3acbfc97539a08c7
MD5 hash:	b83f2f8f0c8deea1683116cbe8a8d1f0
humanhash:	red-gee-oscar-maine
File name:	SecuriteInfo.com.Win32.MalwareX-gen.25663.13420
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	664'064 bytes
First seen:	2023-12-14 07:22:50 UTC
Last seen:	2023-12-14 08:51:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:TjJ0oLtqyqSVRGheijA7aRwM+PQrINkySy6DHJ48xWRFgo:TOgYyqQR8VNF+P7kySyqp48I
Threatray	646 similar samples on MalwareBazaar
TLSH	T1FFE4230115E48F3BC9EEA3B990A5567B03B192123657D2EDDCF0A4EA1ACB784D312747
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

296

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN formbook

Malware family:

formbook

Alert

Create hunting rule

ID:

1

File name:

0738-12132023DEC.ISO

Verdict:

Malicious activity

Analysis date:

2023-12-14 08:17:56 UTC

Tags:

formbook xloader stealer spyware

Link:

https://app.any.run/tasks/85beebe6-a2bf-4603-8e8e-54928943d321

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Formbook

Detection:

Formbook

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/467389/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.25663.13420.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/657aad5a56d08f7811b047b1/reports/b2dd0f76-c705-448b-92d1-a192b2b74675/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5417a075-8fd2-49be-9bfa-225667c66926

Joe Sandbox FormBook

Result

Threat name:

FormBook

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1361969

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AgentTesla

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-14 04:20:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

7

AV detection:

20 of 37 (54.05%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27yn57utfde42m3rt6azmoxfi5gqunyurkpatukqqa4hprv6ebda._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

11d9bfab2d9c7344ef52970bd53f3dae040d3821f8ff0a03ba1f3d92593f7717

Formbook

482fe81656515bb2c9d01bb6d5d6497834fdc36758a069616a4c71a995c10aeb

Formbook

6de3ca2658af9f752d06492509b21dbe3862fc018270f56d5a2894cb6e5a1e7a

Formbook

af577fba54197b9d6d539da592156b01e7ceafccf01e515c1255f9896cadbfd5

Formbook

d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046

Formbook

dc7e71bcaab267806ba177fe20ca6362dddd73b424c956c3fd13fd36a201f449

Formbook

ebaa05165e9a04e110a016a74016effe016f9e19c83fc73f25ed6b3c49db40d8

Formbook

f925810c89fa8a74336dd667fd0b57e3caf827a0976647a20d655351252b91cd

Formbook

+ 636 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://tria.ge/reports/231214-h7vaqadea3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

UnpacMe 6

Unpacked files

SH256 hash:

96adebe2d3724b09c5f8d594729bbf9b084d9b6dff3398c5e1c7d79d0ca642e3

MD5 hash:

66177a12d0bc968626c1716133a08e46

SHA1 hash:

df395156d246854650801b46607b4a1b2ba47721

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

SH256 hash:

a0f01eaf0772e8a22deec7deaffe23c78790261a8e917005e7796e12f4b89b6d

MD5 hash:

2d194f56ed6fd1e15d977f873b63df83

SHA1 hash:

adf44b215e43477d8e70b942c528a83df3837c7b

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

SH256 hash:

eb7e7855575e267e1ad0d9994d0a1cb01d7210d5a0fc14d825e6a738fbe091bb

MD5 hash:

0f90cb08bcecccbd7e2bfec1c75fc644

SHA1 hash:

85276fa8551e4afaead31994d718c71ca39a53b5

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

SH256 hash:

7975113ec29c93ee7c66e34ea14d3c61b14f124a2ca47914a4b85c539e419e88

MD5 hash:

9d7b13990d2ec618b6a67b04402f58a2

SHA1 hash:

36a6f876d5f52ed24c41e46f3a1d9d4389a8bd89

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

SH256 hash:

d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046

MD5 hash:

b83f2f8f0c8deea1683116cbe8a8d1f0

SHA1 hash:

f84ac56bd5206db6564ad31e3acbfc97539a08c7

Link:

https://www.unpac.me/results/00c3df04-f270-4f02-a9c4-454ea8192031/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7f0defe9328c9cd33719f81963ae5474d0a37148a9e09d150803877c6be2046

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467389/