MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 14
| SHA256 hash: | e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c |
|---|---|
| SHA3-384 hash: | efa9730413e6980502462bc379b3dbd53e92d24b503ab5ac4397a533a9adaf85d55adc72d2cff4ce5b3afd3ae8c208fe |
| SHA1 hash: | 65a3c54bf30aabfed30c4f1d983ddf73aa015ad3 |
| MD5 hash: | d6a1a3afb4786f2dc3bbe719b0de5fb9 |
| humanhash: | florida-carpet-ten-white |
| File name: | Reliance Industries introductions.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'342'464 bytes |
| First seen: | 2024-09-09 03:37:05 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla) |
| ssdeep | 24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8aqI7thrARbgvjPBO9QUv6h:aTvC/MTQYxsWR7aqI7tb7IS |
| Threatray | 3'554 similar samples on MalwareBazaar |
| TLSH | T1D655C00273D1D022FFAB92334B56F6514BBC69260123E61F13A81DB9BE705B1563E7A3 |
| TrID | 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla) |
| Reporter |  threatcat_ch |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
516
Origin country :
CHVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Reliance Industries introductions.exe
Verdict:
No threats detected
Analysis date:
2024-09-09 03:37:52 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Verdict:
Malicious
Labled as:
Trojan.Win64.Injects
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.AutoitInject
Status:
Malicious
First seen:
2024-09-09 03:38:06 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
15 of 24 (62.50%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 3'544 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
5/10
Tags:
discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
8f7c2fe09af5a4282bb16d2cc5561df632a062db4681dcb5abb2e5e9c8a6d27f
MD5 hash:
f5af7782ef28bc461e34168b71a6b196
SHA1 hash:
eeebe081b4dcfa2b3fc2d7df22871291f2c55301
Detections:
win_formbook_g0
win_formbook_w0
Parent samples :
521196ed73a172a302646f16359f4feb399074028998d84a34d304c59ec7fc4e
e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c
c201296887964e07884ce78a9e66132f6301f149aa23bce2cb28ec47befbe330
664189b73de4a2ed7720dbfe4b54bfb3a9521d589abf29d63ba229be1794a2f4
b9ec326744f6959a04ae78400d11af0e3e5cfc3fa154654a509a6bb0529ff02f
9bf5e6cbdb4879d457b4e9e870b7c174a5531a2b94ce5b66905b0de5da03c07d
e0a831d8ac0ae79931f90b1e58b5b9318c783ab1525abb84d40c29fa03392887
3b0a3b5b9b2b7b85715e23728437f0a31c9155ad06a50ddffb3a14616b0eb159
2c1002f978075407db43534371e829be77f2d01f13cc9bc02e1c18f419cb010d
d1e8963fe9c917767e86ac4b883d780ddf34f0219a01cb087b77e781336275ac
83394a3cc04fa49e89a7f513260bbf071b97712996f32daab0a7a3d1b7af9607
fd98700a7e9ace0a863b0392d688b7ad07f47bb5c40685916f3ac4bb34e51448
e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c
c201296887964e07884ce78a9e66132f6301f149aa23bce2cb28ec47befbe330
664189b73de4a2ed7720dbfe4b54bfb3a9521d589abf29d63ba229be1794a2f4
b9ec326744f6959a04ae78400d11af0e3e5cfc3fa154654a509a6bb0529ff02f
9bf5e6cbdb4879d457b4e9e870b7c174a5531a2b94ce5b66905b0de5da03c07d
e0a831d8ac0ae79931f90b1e58b5b9318c783ab1525abb84d40c29fa03392887
3b0a3b5b9b2b7b85715e23728437f0a31c9155ad06a50ddffb3a14616b0eb159
2c1002f978075407db43534371e829be77f2d01f13cc9bc02e1c18f419cb010d
d1e8963fe9c917767e86ac4b883d780ddf34f0219a01cb087b77e781336275ac
83394a3cc04fa49e89a7f513260bbf071b97712996f32daab0a7a3d1b7af9607
fd98700a7e9ace0a863b0392d688b7ad07f47bb5c40685916f3ac4bb34e51448
SH256 hash:
0f8133b8c8868d4b419261b60d596b7f5f8c30912ffb8bce0651bff9c3d02193
MD5 hash:
42d31f85fda59cb6fbbbdcb10b604b74
SHA1 hash:
e537ab3cc763a9412eea741b790e2cc352d7f944
SH256 hash:
e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c
MD5 hash:
d6a1a3afb4786f2dc3bbe719b0de5fb9
SHA1 hash:
65a3c54bf30aabfed30c4f1d983ddf73aa015ad3
Detections:
AutoIT_Compiled
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.