MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc
SHA3-384 hash: b82c8ee9fded7f152b2d754ab9deb98f6ceb7c7f629a2e9d2b0c1ac40aa98f4d28e100b0431f04f085ba51a2b5b4c1ff
SHA1 hash: d63b0f44eff73bbfa2949a47c503d3fa1ff2a224
MD5 hash: 2c3af67b622e7995777c91f9b64d37fa
humanhash: ceiling-massachusetts-fourteen-tennessee
File name:SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252
Download: download sample
Signature Formbook
Create hunting rule
File size:944'128 bytes
First seen:2022-09-23 05:39:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:cd/yNU/TuF4sC0HuV/ldxf9eOBx0mLtOCyOeULosAj6yFiVC3nGv/Oj:wyOLuFEpV/nh9eM6fOeUU
TLSH T1C015BF6A76943A9FC003D935C894DDB0A755AE62921FC24361E72C1FF46E6D2CB10FA3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/312504/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/632d46c16aa625318dcfd040/reports/e0dceb79-f854-43de-afe1-6a8c166b4a7a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14c733e3-4802-4b0d-9af0-3610f1e2595a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075686
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708228 Sample: SecuriteInfo.com.MSIL.Krypt... Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 8 SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.exe 7 2->8         started        process3 file4 30 C:\Users\user\AppData\...\ZWLXkesmLC.exe, PE32 8->30 dropped 32 C:\Users\...\ZWLXkesmLC.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpDB3A.tmp, XML 8->34 dropped 36 SecuriteInfo.com.M...MJ.tr.27252.exe.log, ASCII 8->36 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 54 Writes to foreign memory regions 8->54 56 Adds a directory exclusion to Windows Defender 8->56 58 Injects a PE file into a foreign processes 8->58 12 RegSvcs.exe 8->12         started        15 powershell.exe 21 8->15         started        17 schtasks.exe 1 8->17         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 12->68 70 Maps a DLL or memory area into another process 12->70 72 Sample uses process hollowing technique 12->72 74 Queues an APC in another process (thread injection) 12->74 19 explorer.exe 12->19 injected 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process8 dnsIp9 38 www.kocabaymasa.com 149.29.83.151, 49698, 49699, 80 COGENT-174US United States 19->38 40 www.ab3699.net 188.114.97.3, 49697, 80 CLOUDFLARENETUS European Union 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 27 msdt.exe 13 19->27         started        signatures10 process11 signatures12 60 Tries to steal Mail credentials (via file / registry access) 27->60 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 05:40:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mkenkqhlbrdudooxyk52z2cczxtshwzhciuwpudhemiwikrh26a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:nhg6 loader rat spyware stealer trojan
Link:
https://tria.ge/reports/220923-gcv34ahbhj/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c303614-4e78-47f0-9cf6-7e1c380ad6fe
Unpacked files
SH256 hash:
0fe9987f49193699ae7f0f0d3f3cbbbf3d6f49ef9974f9996eabb65b96b79fad
MD5 hash:
86a1f76afd106fb440250d7db6e36127
SHA1 hash:
78d7cf2ac79de13df0284b1fdda8723399363c46
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
Parent samples :
db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc
5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5
c85a06161a28fcfcc80891d618c37d37b72e970be0be060fec72925424412044
SH256 hash:
43d845107cb087ae980d87f2d03b60bd18cf92395ea0b10894680817144a0240
MD5 hash:
ee9ef71b76eb8c2d1099ad65b0527e7f
SHA1 hash:
59bb60e81e1f15aacf2c8daceafcfa18a8f371c2
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
SH256 hash:
422afe277da78503b94162ce458f6889eb420b99a3190f7de648f16db8c27e30
MD5 hash:
eb6ab6b97f75ce5290f48166808a8023
SHA1 hash:
dc4521ee64d9c39579cfdfa638de4e5b25b9a715
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
SH256 hash:
998f8496062d0086acc2bdcd912e94254168e6230ab281117b63e23c1228fd03
MD5 hash:
39c8b2ef041ab947b959abfe7a456ad9
SHA1 hash:
a3c26f0c0b80ca7e14b223351e829fa5f3debc08
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
SH256 hash:
db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc
MD5 hash:
2c3af67b622e7995777c91f9b64d37fa
SHA1 hash:
d63b0f44eff73bbfa2949a47c503d3fa1ff2a224
Link:
https://www.unpac.me/results/4a4211fd-a198-45ac-8ede-a1d4fb0f4528/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db1446aa0758/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312504/

Comments