MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
SHA3-384 hash: ba884b479b95850fe4436c0bde4d66f54a717826c7dce384fd0d7e09f5ff6cc34c8c33843f30908090dd6f629f17a2a3
SHA1 hash: 128d0b9e5c18c1a8379a7d43feb39177d7096b33
MD5 hash: 6bdbcdd90692eca1f89c9f948ccb6e32
humanhash: ohio-white-louisiana-autumn
File name:PO REGSEW4298.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:665'600 bytes
First seen:2023-11-27 09:20:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:jh1UgTYEn2NvnbsJF/B1ABCGx46Ap74TkO+7wyrJ68yv8:HUcYbkGhxRk7Gf6rJ5
Threatray 366 similar samples on MalwareBazaar
TLSH T1A7E40200B2B94F26D5FD4BF71052190017F1B7ABB2B6E3044DDBF0E6AA65F520AA1E17
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/460574/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.9582.362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f36393a-c5c6-4ae1-9963-466993fec8ef
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348377
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-21 17:11:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4n5xvnk2dap2rzywwruu5bltmb244dlhw6z2uasnp7gh6zpr4d5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0270bf6f65f3621ce171f6f10083e4f4730c3b985968d7a1c8f003bed2662be6
Formbook
4ecc427abbc3efbeae4fc42d383497728056a76951f5bad56a67002406eaca66
Formbook
c88aa06f7f7d22f3a6c66c84bf6aafd8838357d02d2287bbbcd61fb21264dfe4
Formbook
d16b6458ecfca8bfe19aff18071efcf91d1d5b11c056f1a764044e1242e8f15e
Formbook
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
Formbook
e58db2a0ff5965c97eeb52a3342e5a4ec06ff9d6beafbd7007e14368c5af64a4
Formbook
e5d7a9b5347d9c624a68faad5129bbf34be4de53e91375cb4f74b97bc2175257
Formbook
ece7b97dcb7fcba52f0b348578e52178bbb7bcc22540ed9123997b90c14323e8
Formbook
+ 356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231127-lbcbtaff35/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
77ab8f0455c55011ce04e2c4228ff804c6fb6b3a2148becb140531ad9fe950da
MD5 hash:
ac1672534538508df4949ef2d28d3e08
SHA1 hash:
2bce89225660d62af41adcd7d76b03d7c057c2ba
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
Parent samples :
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
cc7c4b67efaf2c64832f761f13add3e07be896c62d1cd5f36d7751592318f7b8
SH256 hash:
11909279b5fa9edebcd0824b677d68176d332ae49f273a22d4b01782fea6fc80
MD5 hash:
335040de04cc59c79151ab2f9dcd55db
SHA1 hash:
e4d44b755d3697bb62d9fca2c3e64e5cfafa3f69
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
66b73b2d42e9d81b8e19595575ffc95477f1af4e7cbfcab318d3e7fde6480843
MD5 hash:
95fa30c3550271b5e9f484ff89edbd09
SHA1 hash:
9a6d103b0c5ab230bd2ebe9a7450a88276a3e74b
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
dddb0e6f5597d66880fe2eb9bbdc5411c353e27c10a762615cf5f7fb15176c4d
MD5 hash:
4f65936cb7766f1c94488d5ba260d737
SHA1 hash:
593859b830f52b38bce53c2c7d63baea1ef2cf07
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
c34dfbc328de247d25d670c3b7853f1dddd2ec2607d5dbb0480743b45a15ea64
MD5 hash:
85b87384830444e6ab86a4a692ce96cc
SHA1 hash:
0d7d4614cf31d27e68ebf48e76fb1d308cc08152
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
f40e14938be3cb89ae571f6a033954af3e36cc363387374fe1d583019e9900f5
MD5 hash:
d27f0c835cf536067d439e4589ba329c
SHA1 hash:
f647612f5ca19a4da634275b62c70b2752de356d
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
fd6c7875a405040ecdaf439493eac22426e73e16d4e4437ab457ac1ed1c64a7f
MD5 hash:
5d53d15e40644108865707f432071e12
SHA1 hash:
d928e2504c51b87d7d180f00a0c2b0f35bba1f0f
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
81b91e4fd761cbd9f71b3c7dcbf8dd1e10df6acfdd524b7342a4eedefb9b5fa3
MD5 hash:
4ca913ae4ed5c9aaafc982d6a1b1cd76
SHA1 hash:
7fbaf90b6e05f1fe0780b4400e81ae871d29ab97
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
11507b1b2c1f1ede9d7133f1333f83833372159831d60832a984b1be9cd33c5c
MD5 hash:
b6016c816bc4956cb79b17a35ec80989
SHA1 hash:
66b8042267ae57c8f7a18e98e6ba2a7ae9ee7924
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
149bc781ee2446c4dd3672e2e7cddf49bf36466847ce532faba919ed076cad64
MD5 hash:
d39590fcfc3fd0089591d58e20f24308
SHA1 hash:
4a544cc36af3c0d8c6081ef19a101cb6fb8126f9
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
SH256 hash:
e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb
MD5 hash:
6bdbcdd90692eca1f89c9f948ccb6e32
SHA1 hash:
128d0b9e5c18c1a8379a7d43feb39177d7096b33
Link:
https://www.unpac.me/results/f31ffdde-637b-4abc-9b68-0a069feba468/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e37b7ab55a18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e37b7ab55a181fa8e716b4694e85736075ce0d67b7b3aa024d7fcc7f65f1e0fb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460574/

Comments