MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a
SHA3-384 hash: 13a348419d77729ce0d7fe5a3deeed8f10060a072f1e701fcf7dbc4679af13992947174cb87bfa15e74943ca6b467070
SHA1 hash: eaa6b655c1106262dd9155171e34a4de25e6ad86
MD5 hash: ce441921fed3e3df2f36522a1f223623
humanhash: earth-oscar-cola-washington
File name:oferta BH8453CC_XLS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'002'496 bytes
First seen:2022-05-23 19:58:39 UTC
Last seen:2022-05-24 08:19:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Dq2iN4d+Zn7tAV9MGL+Z8o/BYYrKGEIU1E021YNo7hnCuPvs8X34s6sRbx97:Dq1dYVuGaFrKGQX6YN6hCUv5n4sbb
Threatray 916 similar samples on MalwareBazaar
TLSH T1FC250122AFE9875AEA798FF5843082446BB1BC4A3121D71F4D8678CD7C31BC25F51A27
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8d17326b6945410b (11 x Formbook, 5 x SnakeKeylogger, 4 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
oferta BH8453CC_XLS.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 20:03:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f359d686-5fff-4801-aac8-48a74bf5e483

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273856/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/628be7c80be8a16da4e81256/reports/9bacccfa-0204-46a5-8c43-b8cb0ee0911b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d4a4432-f7ad-4e81-88ed-f51a83d9fdc9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1000192
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 19:59:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
60
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46cikdkpybysfc52kti7aszcquslcpfodepwes6dazqsq23p4ona._file
Verdict:
malicious
Similar samples:
44ba196d26ded5256953332dbcf8f1e4eef73522687836158ec13065917bb36c
Formbook
528c91f11caf89a7331dd4ba3c599903ea8f6543b715aa1420f5c70099e4c964
Formbook
581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
Formbook
73cc22c11897bd7b8c323c9e134af297f9d725186127675ad0d2c64a305ab58c
Formbook
9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
Formbook
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
Formbook
ebc698f8b5b41a150c1f74cbea8b403eeff3049435285675757fe8b9f85ccf45
Formbook
f1a566ebee3c225b2683813ce31c30f6e7648c1dcdd03c991a2d2e99c11bc6d7
Formbook
+ 906 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220523-yqc8waecb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
5f7dbefa3f851bca54095afa23ba680fc39772df7eb341b22507734d4334e983
MD5 hash:
fe3570bd1f115e2cf3462c6841f78cb1
SHA1 hash:
f2def16d9dde9baecbaa84688a4c5b7bc07d493b
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
SH256 hash:
3ccf62991ac8ae2d178e665d6718c974ebe45e4c3864c274ec8284f7900139d1
MD5 hash:
73cdcd73736f225bfe54789b52b1e904
SHA1 hash:
c65832ca96467c761ec6b2f31a8c83471e97fb45
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
SH256 hash:
518443fbd0c102b61369c43e89a134fff51841602a5e669578e1697adb43e132
MD5 hash:
8f11759a589eef321afe3a9a6c011bf4
SHA1 hash:
bd7a0c51b893ce0d880cc518e176e564c8451973
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
SH256 hash:
028529229bd1f61872a13be0e75777cf40692abfe25423895723eba1f52aace9
MD5 hash:
4bfc24b4f47d764032c18e580e232d87
SHA1 hash:
2ced06d02c9b2aa0c4712edaf8bc4606377a1092
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
SH256 hash:
e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a
MD5 hash:
ce441921fed3e3df2f36522a1f223623
SHA1 hash:
eaa6b655c1106262dd9155171e34a4de25e6ad86
Link:
https://www.unpac.me/results/25292f7a-08a1-4751-9774-b3809b455956/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e784850d4fc071228bba54d1f04b228524b13cae191f624bc30661286b6fe39a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273856/

Comments