MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
SHA3-384 hash: 1c1555735636fbb5dd2ef31b690e524d114708cca50c68030b4f3c39bf6c6ac5e743c04e25371b5626bab3e85371d4ee
SHA1 hash: 39a3af1c00b03d92f6fd918dd26ac526fe735ac0
MD5 hash: 43625f3626478bb6d67cb9f781678dca
humanhash: comet-salami-cola-don
File name:SecuriteInfo.com.Win32.PWSX-gen.31207.26757
Download: download sample
Signature Formbook
Create hunting rule
File size:600'576 bytes
First seen:2023-11-20 09:31:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:EvCeeRUTzHBMQxj5BlaDWv+R3rHgTB7+6S++wsNG5/jaa4rPcyikP5k6kG:EqeeRUfjxjxaDWso5xwNw/2NViY5k6
Threatray 32 similar samples on MalwareBazaar
TLSH T12DD4E152F34498E5E42712B598B7E4142133BF6E966A854D28EE372E0A7330710F7E9F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c4c4c4ccfcccf670 (5 x AgentTesla, 4 x SnakeKeylogger, 4 x NetWire)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.31207.26757
Verdict:
Malicious activity
Analysis date:
2023-11-20 09:33:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a1d4e35-e18d-4ca3-9321-1d1ed538784e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459285/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.31207.26757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f80dcc8a-1fe6-449e-b410-8df6a2745cde
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345081
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345081 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 52 www.canlicerrahi.xyz 2->52 54 www.visawe.online 2->54 56 12 other IPs or domains 2->56 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 10 other signatures 2->78 10 hYpesemouWmT.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.31207.26757.exe 7 2->13         started        signatures3 76 Performs DNS queries to domains with low reputation 52->76 process4 file5 88 Antivirus detection for dropped file 10->88 90 Multi AV Scanner detection for dropped file 10->90 92 Machine Learning detection for dropped file 10->92 16 hYpesemouWmT.exe 10->16         started        19 schtasks.exe 1 10->19         started        48 C:\Users\user\AppData\...\hYpesemouWmT.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\Local\...\tmpD810.tmp, XML 13->50 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 13->94 96 Adds a directory exclusion to Windows Defender 13->96 98 Injects a PE file into a foreign processes 13->98 21 powershell.exe 23 13->21         started        23 powershell.exe 23 13->23         started        25 schtasks.exe 1 13->25         started        27 SecuriteInfo.com.Win32.PWSX-gen.31207.26757.exe 13->27         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 16->64 66 Sample uses process hollowing technique 16->66 68 Queues an APC in another process (thread injection) 16->68 29 FTkVlFIZEiRnZPxuiNnLLAm.exe 16->29 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        process9 process10 39 ipconfig.exe 29->39         started        signatures11 80 Tries to steal Mail credentials (via file / registry access) 39->80 82 Tries to harvest and steal browser information (history, passwords, etc) 39->82 84 Writes to foreign memory regions 39->84 86 3 other signatures 39->86 42 explorer.exe 39->42 injected 46 firefox.exe 39->46         started        process12 dnsIp13 58 www.78669vip.com 156.234.20.4, 49749, 49750, 49751 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 42->58 60 www.christmatoy.com 79.98.25.1, 49745, 49746, 49747 RACKRAYUABRakrejusLT Lithuania 42->60 62 8 other IPs or domains 42->62 100 System process connects to network (likely due to code injection or exploit) 42->100 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 07:37:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lyxitzu6olffsuoisfstzuvnyl2ceakwmuuqvqlppmer4x2bplq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05af9b06832797a977a4f5c419addacd8c15453411112609bf4dd5c6106726af
Formbook
19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
Formbook
21dc047f9ab94825e801f1459225100c58e688396b570318cc50fe8f53dfc66b
Formbook
48651fcaf687d844bf32deb03c419c63e52f295739c4c0dbed2035290f75c2bf
Formbook
5fa0081930ac23877b8f539c9c973b796fc5ccfd891029191073220fb2060df8
Formbook
8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55
Formbook
ab617df3930b1ed1ee3bf2dc4ec2db8db8fdba68ba5198183cbf96b75f37c972
Formbook
b07ff609e78d096d73e434151b8d0d3e429110dc449656a6b9f7316dd6603d7a
Formbook
f380115cce9725db41bba7feb4556265d22b6a284105e0412f86f71fe3bb8f90
Formbook
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231120-lhl5lafh2w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
a1fe4fa39f6454e309874c4a84798995397ba3fedbdfe9d04af137a54d2cf3d6
MD5 hash:
f8ce35076127bf10f1f153a99f0fa2a5
SHA1 hash:
74c811e506bd800bdc858d9d0035a76a2af6ba62
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
Parent samples :
21dc047f9ab94825e801f1459225100c58e688396b570318cc50fe8f53dfc66b
e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
SH256 hash:
16ffa52732acb682b6adf6656651df8aa05eedcfc6a4daddfddf38f2466698eb
MD5 hash:
00829ab9e21be6531137d959db88368a
SHA1 hash:
bd3adc3c013afdecafc39287141db5f74a7dd52f
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
SH256 hash:
01f38bb4dc7f1787a239efdc7352a89b75c963bcb8227c347654879108330b9f
MD5 hash:
b1a6cdf7a2dd47e5972db92038455bcf
SHA1 hash:
b81f5c89e596726159a6b8f9915980466eeeedd6
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
SH256 hash:
2e04cf6e0296b7452840ef0bfb1e036eb6f7a45693fd597ce384a5e12f4c1965
MD5 hash:
20696324f2b8ba81f38d40d57ecd4a89
SHA1 hash:
520cfc12c38f400dc559c981b9e7adca9a26bad4
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
SH256 hash:
35c19a6d913b56c86995d668cf7f02a74fb4d700ff845d8107fb3a02ed75f95d
MD5 hash:
189558ea0f108493a11b2b05d2e24ce3
SHA1 hash:
19db0c76df3d1bb946877b124db9c654058bb55d
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
SH256 hash:
e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7
MD5 hash:
43625f3626478bb6d67cb9f781678dca
SHA1 hash:
39a3af1c00b03d92f6fd918dd26ac526fe735ac0
Link:
https://www.unpac.me/results/519e1949-8856-45b1-93b8-0714e51ada36/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2f1744f34f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2f1744f34f39652ca8e448b29e6956e17a1100ab32948560b7bd848f2fa0bd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459285/

Comments