MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78
SHA3-384 hash:	5d38d21d40c3d53ea2b5252ab6aa00d8f0ddc6e9ed41281d1e1459288823160196a2ee9872c5e430eab6358a3ed117aa
SHA1 hash:	c694ad75fc0c8cc366a42a65bf04845d6f083bef
MD5 hash:	0dbfc0e5cd0d4cf45792c63758962d90
humanhash:	steak-illinois-venus-oregon
File name:	PO 0588060624.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	837'632 bytes
First seen:	2024-06-06 15:27:05 UTC
Last seen:	2024-06-10 10:45:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:iz7ChtcY/YLLEmmmmmmmmOhHGOFXQdO2aY1goMHSZf5ETTh1HuCsuCwYBgtY+VT1:iz7C3c68QkXMOslBETTHWBgtY+VTqC
Threatray	34 similar samples on MalwareBazaar
TLSH	T1EE05021622689FC6D62143FEE66092607B70706F6032FFE46DC591DF5F2AB08056AB1F
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	64e4a4a4e4e464a4 (10 x AgentTesla, 8 x Formbook, 1 x Rhadamanthys)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78.exe

Verdict:

Malicious activity

Analysis date:

2024-06-06 16:50:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0376f45c-e6ae-4e1c-9672-f9a9608b7495

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.14539.20067.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6661d5866b8dba248b3da7f7/reports/125386f9-810e-4d56-a657-b9a8d2a0f483/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce647d0e-d03e-497c-891c-545c843660a5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1453171

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2024-06-06 02:27:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4hm2toqr3gp2qzgksmvbsc563efii2mfuvofqkdj5hyzgdlmlr4a._file

Verdict:

malicious

Label(s):

formbook

Formbook

2ec8179daac23d3f433702623eb9b216057e114480b271a6225f228c51bee0d2

Formbook

3960ee46ae25e3141eb0a05b0caffafc7b40655ea178fc11eada45e590fd6e00

Formbook

85f0e05d9d2478bb305506b9363dfb84f836f27c1a65d3daedb3fcb037e46ce5

Formbook

b785f1d99e5fdebea270af63f0e02600995989af85eb754fbb1e9cc141d26d5f

Formbook

d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0

Formbook

d27b84a1393497d5f1a1d6a7200ff7f2508cbe8fb5cbc4be219e61e038ac21b9

Formbook

+ 24 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240606-swj1qagh73/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7fb8eb22fd7da53800f5f0067bbfef3f4cced07ca6d741469444748786b1cb96

MD5 hash:

f3a55e94c6e6a0b6e75c173f63f98239

SHA1 hash:

4fdd9c4c40b9d47fe9a375a378b820cff83c7ced

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

SH256 hash:

9616e39aafc254e340412f7076d1354e48f10a141096e8fbd3a960b7fade3e3a

MD5 hash:

5b235a7e3918b1c59f5f37c9492328a7

SHA1 hash:

8b8d53b8b2bba64035f79f3214b763eb3ab0e9df

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

SH256 hash:

1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe

MD5 hash:

ceb52a5c98659e8905ea76737fe00c01

SHA1 hash:

bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

SH256 hash:

a0b68f990181a15ac83410f9c3f9933ff6cd61eb34bb443f6577bfd0edc888b2

MD5 hash:

86d56e63c9a8d418f4f3a7bd2fb91439

SHA1 hash:

5e884d8c5f65edaf2b0c11b1807466cbabef5a2e

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

SH256 hash:

e9319f360d8400e7dd18207e0731d4222b7b88f6aece7641cb960a033dfbe043

MD5 hash:

90af36207084292ebceaf0aa6a1586f7

SHA1 hash:

2583769c47d4203a8263aefeeb72b7194e272d5e

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

SH256 hash:

e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78

MD5 hash:

0dbfc0e5cd0d4cf45792c63758962d90

SHA1 hash:

c694ad75fc0c8cc366a42a65bf04845d6f083bef

Link:

https://www.unpac.me/results/a6d7fced-b5e3-4ae2-8939-f76f9cef184e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e1d9a9ba11d9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e1d9a9ba11d99fa864ca932a190bbed90a846985a55c582869e9f1930d6c5c78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample