MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
SHA3-384 hash: 3146fdede2e06cb6b8572ffde9a099cf1d15a74d102f03483a382ad7f5ac0852e0baea1359e2876269b2fc8555f78ff4
SHA1 hash: 854dd1d5a7e5f9f832a0b2094c53e9612b588764
MD5 hash: 9647d578b84e06709db03e8763b033d9
humanhash: pasta-vegan-monkey-carbon
File name:9647d578b84e06709db03e8763b033d9
Download: download sample
Signature Formbook
Create hunting rule
File size:733'704 bytes
First seen:2024-05-22 19:52:53 UTC
Last seen:2024-05-22 20:23:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:7d25fwSsBM/f4NQ5S2PP57BEnQQm3Gv9YnSq3RPUsIXybOnpw7yV8lbKuldpXyqd:7dtwTToQQm21k6sIP7mbKuTObycwGjle
Threatray 215 similar samples on MalwareBazaar
TLSH T1A2F4230E7BD8F202D7BD8FB552FA9A014B35D6D2BA12DBD91CC404CB84E7BA0875164B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
435
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55.exe
Verdict:
Malicious activity
Analysis date:
2024-05-22 20:33:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb28421f-769f-4749-9ebb-ba1a490fbed1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2858.6310.22382.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664e4da5b5e3b4de8ba168c9win10vpnfull_triage
Tags:
Encryption Execution Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/664e4d2b7f3804904d007a68/reports/318b9f32-2116-4edf-86d7-2a62cccb40b1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73469a5d-92e0-412c-8051-352519610fde
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1446089
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446089 Sample: GXu0Ow8T1h.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 55 www.99b6q.xyz 2->55 57 www.xn--matfrmn-jxa4m.se 2->57 59 9 other IPs or domains 2->59 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 79 9 other signatures 2->79 10 GXu0Ow8T1h.exe 7 2->10         started        14 xtkgtig.exe 5 2->14         started        signatures3 77 Performs DNS queries to domains with low reputation 55->77 process4 file5 51 C:\Users\user\AppData\Roaming\xtkgtig.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmpFD4E.tmp, XML 10->53 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 10->89 91 Adds a directory exclusion to Windows Defender 10->91 93 Injects a PE file into a foreign processes 10->93 16 GXu0Ow8T1h.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 25 schtasks.exe 1 14->25         started        27 xtkgtig.exe 14->27         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 16->67 29 ELGsdIvNhaSFmNPMIL.exe 16->29 injected 69 Loading BitLocker PowerShell Module 19->69 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 99 Found direct / indirect Syscall (likely to bypass EDR) 29->99 42 dfrgui.exe 29->42         started        process11 signatures12 81 Tries to steal Mail credentials (via file / registry access) 42->81 83 Tries to harvest and steal browser information (history, passwords, etc) 42->83 85 Modifies the context of a thread in another process (thread injection) 42->85 87 2 other signatures 42->87 45 ELGsdIvNhaSFmNPMIL.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 61 parkingpage.namecheap.com 91.195.240.19, 52220, 52221, 52222 SEDO-ASDE Germany 45->61 63 www.kinkynerdspro.blog 94.23.162.163, 52212, 52213, 52214 OVHFR France 45->63 65 3 other IPs or domains 45->65 101 Found direct / indirect Syscall (likely to bypass EDR) 45->101 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-05-22 12:13:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4iskexkeddwciu6lgkd74e2bnnvgolpgd5qdihdxe4p3wm4hbjkq._file
Verdict:
malicious
Similar samples:
341314b72f568feae0b065d49222be752ff92e3d25399a93d9bfe5f15036c65d
Formbook
7ff86583279b30615f6ef62b356c10a1f2f203d6e5437f6632236219e27fcc3c
Formbook
9b2e166e69584f44f60b0d8a73335912f90e689ecaa2061afbd637709fba4393
Formbook
c3fb8862aa52c578aca75ee923448a3013ff97e2ebe3b0dad8d6d708e78262bf
Formbook
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
Formbook
+ 205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240522-ylyzsaed58/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/263966ac-1dd3-4c32-a0bf-bced7673e73e
Unpacked files
SH256 hash:
6e093e11ecf0b624902be2e85d2c120e7cebd9dc3d882e11a658d2ef3083c5e9
MD5 hash:
7e29b899a573f0662c2c59588e62b523
SHA1 hash:
ee1d0cde2b34332668e65bc9d8715d3b7d06dfa0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
Parent samples :
efd15711fec91fec88b1b6c704932a4e6697b79f9ea12d2b766b53081c18d438
e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
ac61066997c1ed196dc3311c32afc2507ec5e97c46242b12871dcec8b558e040
SH256 hash:
c1c823b721025cc3b1b2d1c9ca85af2b1acacbb17c17c326a4e97b55219a35ec
MD5 hash:
ae3c132f8ffbee8f9b7c7a21b1ebbec3
SHA1 hash:
97dc762487e30eb1a15f2ead39403a99b5c115f1
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
0b7dcc18b0ef39734a24ca5923b02df82c670d08365fe376f2ed4ff9fcbc6303
MD5 hash:
0441cc0dacc6d821252e66a156b1d9bd
SHA1 hash:
df46cc702950a53a5de7b804d2076ef03f8ac6b4
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
0a19c27f590c1839737d4e8e35a87dcb68d11176dc3314d7d910df3039dd96bc
MD5 hash:
9971dd6d837988722ee051a289a9a73f
SHA1 hash:
70b4b60cb1979deb7a323c6c2f814230459c58cb
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
619c80b7eb6cf574d0f6d0c84450d4dd56735eea3222d85fbdb33b4aba339c20
MD5 hash:
438ed2354bfd425681e3e492cd7a272a
SHA1 hash:
69f62d75d80422c6fb9d778b00ec7a4b953d3ab4
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
ae12301995e19706c288fc9f061c882f54f9263ade97b290e0b16af1b8cebfe8
MD5 hash:
4daa5ac97306c97515c60fb19ec7f91c
SHA1 hash:
fb50aa3ec8743ae98bb91f22c064eaa17833894c
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
74bb48da700a979069e371d14f57953402b173299a6360220b79801e5d9016cf
MD5 hash:
1a8289e3eb82b4b6ed05bcbc1c8da6e5
SHA1 hash:
cc05f9b9ff16e327465aaacd4fc17d89da630857
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
8bc4088bbaf129da76a0514a133b9fbb5117c91b3b1107c2016d41c904a6e05f
MD5 hash:
73227740af9637dc7f00d390af535d71
SHA1 hash:
ad4751b92d59288671e51a099b967765f7f0a579
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
acb21618fdb392d3986e9c53a9ce3ec433869e61ba240e57e5d114ede7b4bbf0
MD5 hash:
20a0c524692b78d2a1ae6d9c48010fcc
SHA1 hash:
6e1595b82deeea361eedd2280497056becacb521
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
520deef398c773cc1549daf0286463d602f4ec4544d2051d9cb4ee3644766b63
MD5 hash:
6f746f76e6c335508208ad4dc977d70d
SHA1 hash:
5cfa398beb038827e909c2358e7dd02c8a68ad7a
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
103dd504e612349bfa74815b71ef959aad4513d69e70cde9e2d818e001611661
MD5 hash:
f68f0292188fc7e44ee3c2350819669f
SHA1 hash:
149bf0d529ba16077abecf65a03da0d29779aced
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
SH256 hash:
e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55
MD5 hash:
9647d578b84e06709db03e8763b033d9
SHA1 hash:
854dd1d5a7e5f9f832a0b2094c53e9612b588764
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/d991482b-8e39-4db2-86cb-e9b1e1886e91/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e224a25d4418/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e224a25d4418ec2453cb3287fe13416b6a672de61f60341c77271fbb33870a55

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2859856/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-05-22 19:52:54 UTC

url : hxxps://covid19help.top/loud.scr