MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
SHA3-384 hash: 5fe5a975ecaf38b775c4bcbe04c88a138d7d05004c5d81a70e5cfc23cd97f0d7b3b9299eeabe73fcd737c5a7b1070b95
SHA1 hash: 30399ef50fd09099f31c93f3a36e1b6fd2ee07e8
MD5 hash: 4915f9b3f1f8701c746f8e1d41c42c10
humanhash: comet-king-undress-cardinal
File name:SecuriteInfo.com.W32.AIDetectNet.01.5198.19647
Download: download sample
Signature Formbook
Create hunting rule
File size:1'090'560 bytes
First seen:2022-05-05 10:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:g3xUlO41oSaMxU/1hUgCt9uoUoLeugYcGkWfipt8yXGRWVWgyjo34goijV3gtTjt:LO4wH1NoLeuyGBiH5GRvo346jZt2
Threatray 15'281 similar samples on MalwareBazaar
TLSH T150356ED1F15088ABED6B05F1BD2AA53024E3BE9C54A4810C659DBB1B76F3352209FE1F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.5198.19647
Verdict:
Malicious activity
Analysis date:
2022-05-05 11:09:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cc0077d-d79d-43b6-82d2-e86cc61c3056

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268875/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.5198.19647.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6273acd00d3e2bd52d2bf13a/reports/cb1d1ef9-21ad-4b49-8f55-43c1d5678db4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/528b8b1a-35bd-4d37-bd4a-95a5512369d7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988443
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 08:38:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ykr5maurywmb2e6vpezls26myqbggukmwgr5m6hrwtvgbtfio7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06bdc739d26559129afbc157dff8ef0f616dbe885a6cd8a2f43b62efaf848bb9
Formbook
0b547b6fbd2328c64aab9806e3617ec953098db3af45a2546697d9ca7ee838c9
Formbook
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
Formbook
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
Formbook
898b47cb2e4d16a7325de16aae14c3c66894467ece923e706c186ee9ab75799b
Formbook
8c1de309eaa9d9a48f92587f93f88304ae1aa48aee62e7ede11893f1ca61775e
Formbook
95c6926c4af01e7a782b16967a66b3c349f24a6ab2393b1a20c47e28a1ad7249
Formbook
c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33
Formbook
+ 15'271 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:hsot loader rat
Link:
https://tria.ge/reports/220505-mzjapsaegj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f72993da75396849b8f58292a3fc1692bd5f9df07fc0526cb3b4e4af427f53e9
MD5 hash:
f681eb16d79cca0fd14a7796d6d8b45d
SHA1 hash:
a90f0607f42b7c1c6fe96c620a21fc6a525e059b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/38969db7-8909-44ce-8c6f-1b62c96f5f31/
Parent samples :
2f6a10bdc0e72b2b49bfdb61c307c72c8fe2fc9dd5ede0cfabc63ea5aabf9a4f
99f7e07f84e40e362b58d7b84110898eda66ce1e6906b2e27f1e9a9cae90e548
e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/38969db7-8909-44ce-8c6f-1b62c96f5f31/
SH256 hash:
952031191dd8f0d9e3f52624b6e6836dda0eeb5c22dcee48f6e9c408a9c847f6
MD5 hash:
fcacc24e4d878143d0fa9f6380dd3050
SHA1 hash:
21e3554321d0ab846be240ff39f0e014f768bf3c
Link:
https://www.unpac.me/results/38969db7-8909-44ce-8c6f-1b62c96f5f31/
SH256 hash:
3ea44cb78a3d08b75307744355c6551125eb8a6a743b9bb9e46cf1a12c78a8cd
MD5 hash:
038b43188718f1207aff649d9d9bc4ba
SHA1 hash:
17602a040da4e9c9e19c90b96c3647c9aeaa46ea
Link:
https://www.unpac.me/results/38969db7-8909-44ce-8c6f-1b62c96f5f31/
SH256 hash:
e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be
MD5 hash:
4915f9b3f1f8701c746f8e1d41c42c10
SHA1 hash:
30399ef50fd09099f31c93f3a36e1b6fd2ee07e8
Link:
https://www.unpac.me/results/38969db7-8909-44ce-8c6f-1b62c96f5f31/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6151eb0148e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/e6151eb0148e2cc0e89eabc995cb5e6620131a8a658d1eb3c78da753066543be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268875/

Comments