MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
SHA3-384 hash: d4727bb2092eda8a9887366befdce855f587b39ce698847af262d80df91a00569d2f9e2d574364e8f0832b86458d0f49
SHA1 hash: 8bdb0e5a726c52fc4b476a060c7646b678bfc7a2
MD5 hash: 5e6920e180a742ffa7a56865e59ff7c3
humanhash: king-oscar-florida-kentucky
File name:5e6920e180a742ffa7a56865e59ff7c3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:799'232 bytes
First seen:2023-02-13 15:12:24 UTC
Last seen:2023-02-13 16:35:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:6h6q6EMiYC0ND571Vd8NremF8FirV81vawjOuuNII1c407JNvkMQiDXZnGne/:6YXSQ57j4emqp18vNBc48DkMbJGn2
TLSH T17005224E2C1C9B77E43DC3F45E2665B8E370AC6429B2E1662D9379CF36743A2045278B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e6920e180a742ffa7a56865e59ff7c3.exe
Verdict:
Malicious activity
Analysis date:
2023-02-13 15:17:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e5370942-7828-46b9-939c-14eff7fc50ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365134/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1834.1132.9089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ea537f19bdad834635c752/reports/2b30d39e-a89a-4016-89c7-d0d6c3b5e092/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3eab8dc9-46d0-4bb0-ab3b-8a4d301344f8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173579
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 806376 Sample: QCjf6uSBhd.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 55 www.pointman.us 2->55 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 6 other signatures 2->73 11 QCjf6uSBhd.exe 7 2->11         started        15 bSXixl.exe 5 2->15         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\bSXixl.exe, PE32 11->47 dropped 49 C:\Users\user\...\bSXixl.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmp8B0D.tmp, XML 11->51 dropped 53 C:\Users\user\AppData\...\QCjf6uSBhd.exe.log, ASCII 11->53 dropped 81 Uses schtasks.exe or at.exe to add and modify task schedules 11->81 83 Adds a directory exclusion to Windows Defender 11->83 85 Tries to detect virtualization through RDTSC time measurements 11->85 17 QCjf6uSBhd.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        87 Multi AV Scanner detection for dropped file 15->87 89 Machine Learning detection for dropped file 15->89 91 Injects a PE file into a foreign processes 15->91 24 bSXixl.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 17->59 61 Maps a DLL or memory area into another process 17->61 63 Sample uses process hollowing technique 17->63 65 Queues an APC in another process (thread injection) 17->65 28 explorer.exe 2 1 17->28 injected 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        process9 dnsIp10 57 www.theunitedhomeland.com 52.77.29.124, 49696, 80 AMAZON-02US United States 28->57 93 System process connects to network (likely due to code injection or exploit) 28->93 38 cmd.exe 28->38         started        41 svchost.exe 28->41         started        signatures11 process12 signatures13 75 Modifies the context of a thread in another process (thread injection) 38->75 77 Maps a DLL or memory area into another process 38->77 79 Tries to detect virtualization through RDTSC time measurements 38->79 43 cmd.exe 1 38->43         started        process14 process15 45 conhost.exe 43->45         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 11:57:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57kyn7oaj2xbhei2h4tdrs2hr3nwzfjhc3rsphmfjrgykwu2odaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2fg rat spyware stealer trojan
Link:
https://tria.ge/reports/230213-slqqhsea78/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
f26fc4ea0c27824a013ffa528d0aee88dcaf5f4b5defd62b48ddf2facfaa5124
MD5 hash:
60d0fd39807c962e45c1ad7388fdee93
SHA1 hash:
98dbb9f3c0c9e6ac3c5bf0fd987509f6f586423d
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
Parent samples :
2a2ed868de7659c4ab333a44c6e55d69fa73edb4399997efeb48e39abfedc0a2
a02e269ca2267609aec76334e4fd13703c2071ec11a991c41c4fe785c168ef1d
3a6ba0e427cbc8428f15e8b347a9483fd11ad9aac6c65869c07665f76735f649
04d583f5e12a75d174cd94b6c4599a5db274b7056a580e7a7ab9ded10d92f845
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238
59564998eea247b74fae4eda4ec4d033c71dac44ee51d9317df8dd88d0fc4fd7
7e1902c99be3570624c34b1a087ca24ed8d47430374b6a2366d0432cb3e2a423
992ba1b139e91db060bd5d50e486447e5b1b85f4629fd7be5baf83b33478860c
f00c0f04ef631da780c92bd7249339579672e0898ed1ff05fa7617d2c182e682
b5334d7f1855536729093e624f9a5b548cdf0c74db12aba62280f7064090e4a0
497ca74514404b8699709d6fd3e3ab89cbd5eeb8fb1a5dea69561297f6a5e09a
f68fa6b1bbbc7654157a918b34bb633c008a0e8f9cf608e763ddade76c543791
fa20666ddef2dcc581feec3be79cd35b4d9f44e2dc713ee0eaeae73673b83b0c
10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2
73c029fbd27d0c281ac91d030160bd9ba859ab57db73b5fd7011f470ab90fc8e
a3c1b0817789d0b691bcbfa175958d2b24ad98020ba776c11aadde1d89a964ba
942196f0ca8e1253e7dd381b1855e4b56b8874a2d5def9d472507ddaf306ac86
1485956980a9f44192c5e1f6c8a4c9b6359de63b4a95e7c257f4ba6f9492a8dd
b63c82c7ada645bc96da74ebd031970c0ee2e7a568c2929181c146144682b2c3
731b5cd4aa18acb39bcfbb690aa93ef24f374c96b4d61845a58781241bc0bdee
1c3f48c41ff949d4c6b27d671146abb3f13be640843027a5ec33177bca81aef6
7a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
c4771044788147e2c9acb052dfbf6d291400add558b59ad0e6d0c5f42f3ec3e1
3bea5fb4e6d7f626a3448f9815c3ed932a8bf14fc7eab5739cc5dc69de03960c
e5938a9efbdbf0a81790e0287b086b4a322b756db37ec4006419a6ada47073be
c0f665918f4ea75327960ddf58cf37e415a6bf6569a4c22aa6291fbac9d171ce
5c4b6b6b72e020bea0a32b9ca0542bd404e91eff6344648aae077ad332593744
ffb2ebccfae79f8c1d5911d41e549a8f876a10708053a4f3a3dbc2ec0e04be48
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
2ac7632aac460d738f260cbc0913805ca0b3421f7e241b9708688be292600e73
59a7fc4a8a50af26da5eb5cd0142fab8ef93140c2dbade41fd4ce316778ec82f
879ed7e70f3065461580484acb99e57762c9c86f1a92acae280fdfecf0f50cbb
5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
e009f07c6ca122574b584c8b883e3983349d8d4a372ff45aef77af52d5251b9c
7e98adbd789e5f62288e3784bb613e332642f2ac533ad873b5744c7a3d2afc16
4e7ff374bf5f0989e5d1e4ae395c9229a0d786ec1669dd0cf0fadf2a3f898554
82004564f9c882c4ae8edc74ef12e9ebde3e6018150864bfdaee8ac8f5048216
233a666fce4179d561dbcd31f35624fd3bc21068ae08995316eb9e5f7debf6f1
eeb925601fdf3c1d3155c01e836017ee29a9b1342b5c4d084839424aaee41a6a
28553a815377abf1848c9f84e528e6115969744b4d735e2e0cab9e4ed919a23d
be0eb1bf95016367e097709002bfb12c31419a9d9214f5a743d61fec0869e94b
a700153db70dd52ea66a74fc09145bbcf39a8019a7d31f733e8ef204494ca6ab
8b70ca4638fa94692c4c816a5e6d78dbf4b714d729cf76b6408080b4a33cb80e
11649edf97c44a364aa23ec2d01a39ed40efe81f025120a621b36c696620b441
e6507a30dc00cd8ec7b0b945c3549bcb313352e6443560394d136cb59486598e
bfbabc5cf18aa403997d34e8920f17303dc84322553b14ea8e535165da2f1766
5968a20b202c7e35ee2a6731bc76e5d91872820c2c500cdca13539c33c65dbd8
817bb218dc3c136428947e26d4e54bc1efa5047865c9061f032bd72c40cb133c
0d80a3569771d4ad7af902622df71a797cc61a80a958732c7c5f6191f4116e35
1406976ef0e50ea7ed59ff0a8175c3938694b2d2f8bf113e3208fdb48cb9c0a3
96ca0f177718a65118eeb4782cb0642e7529e670e7e7f2b692ee750c44734475
d1503f3fd8e620f55c8705f8bb1f7f233ba3fdd6eaaf2e44e310a6e77ba54fc6
4b077e18b18dad16af3d09e790347383572d0bdbc2f5cdd0eed96c61c960b211
7845453819c89f24416bfa15744e3625fafb7544d5beb180f6fe02a4d639b227
f1d6dee5489870d7cc620521cce6009b2fc0d4cada1ec66a979ef53faf6c1fd9
a06999e015bc924adb4a463c17853e238886b5a7c2c3de6f3614413e0794528e
cdda311b19b7310a22c171a9e83e6eb26f0319b9ea904cd6cbbed31b371e8fc7
1b4b34f61e8c7544cd51784d30da4e21134bda0b2e8c23ea740ca83cab04e58a
d936dbd1677939645b8945767ce9525ad92f068e0d81c9316e4c83fe916811cc
3a22fb14f837309023971bf41b88cfc9b3ae7d9db44da63257d36d73dbd716ad
0d70b935ad36ed959f487e0405eb6810bde06a538f862baf0eeb24d41b6188c3
5d781e4eb5ff900fa98654ed3c4de450539f80dda2f2e03a6303f781937ecbd4
4143f0d71056023faf4ba8117632af6086496686f1ef88da843c7252d7e1eb97
09037aa0be8db35b9e9fdebbcf4b513fc3837825d0114474ecbd396e698c5f8d
af950b5a12cb2f97b66be1ca4cd05b528919e25ef03c04a07d8b25af2acb501a
fd8ee1def801bc959d1fefac476f1adea2c6d66f21fe1c144e53e4b1fc92728c
212604b13ca215693db01f642c18e800aeb394f53d1f559b939b39fae9708d87
e4d9569944d2384d12aefa1b70f9c9799bc5f31e3031078b022bc144424dbe29
f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
71ea65acce74b5793f509989efe2b9dee25d7700f6d52aeb07e321ad2ebe0b59
556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed
11b7ed15ae6b1bb53ad3eeff567acb939f794bfdf067b6c3c07c19a15a02fb8f
aa82cdf7520b7cc07288287395288f37a49a955dcd45b0bcc079364c43ceb298
fd57c25c7f4a591450adba8e8f2755e6a8ef62e9e28b745eae0a7369dc5ef4aa
67cc4306421a289d79bfd855c3da5e7ccbfe55e8eef44fc6c48aea748848ea5b
550d710de80bc48622dab82bf9f26b405866ff5d463bd06748c3419ad5ac7de6
62563b5858256c4048137b94b1f0f3a6abb1cef7e2f9afdf3e874d08ac3ab708
b3938532376b8d895ba266de98386155798e984764ea778c43a842a3124ccfde
40c9387d1982d53944fa9a527152ab7103457d7fb3b37865af98fe399641cf75
efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
6c16d294d574746cc94efbd7c946f73381bb1c857ba468ce37b8c672fa1faf57
0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
ee62bac96fdf6c8fa0bf931f53a9858584cbe77e814f3e0a08a9a0fcb1fe55f3
5bdac8b30125850db84f9c3dceee1dfbbbc67e1ca5501cf678e14b835f38000c
c31db5aec9add40498b70fadc64eecb0b036cc0d894868ecd365213bd23dd064
ef5801704c64fb48c3bc3f96ba58f18ed4a320835d0f5d36732b3b5c2a2724ef
adb24e3f246fd2e4d38866e9273f7f511af700a1601399bc695b01c5ccdbd43c
d740e51f896255da1f4c88a7318bf912977675c5c571a73a5a925a0e120f3d1c
abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
SH256 hash:
6a7b0cd698a5f522eb52e0cf64f162f976a93b780744bc346f02e981a856eb5c
MD5 hash:
cf9d08cd3ead89c11f4768aa9d6274f0
SHA1 hash:
fb23396e9f3b3e3bc9c9f42a3b3408b5fb3a68ab
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
SH256 hash:
b4124f151e6ba09440dbd432807a7032b0a12071bc3ce22d5bb072956d1ad020
MD5 hash:
b5c9f142bd9b601cd089a30858d983c7
SHA1 hash:
9da4304065775ec79bde91a356b73c8f0eaf674b
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
SH256 hash:
46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721
MD5 hash:
453d8d23d417dacecac4ad0235d2b420
SHA1 hash:
6aaffef79f32f151aef9d5c548ac9055ea6c2f35
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
SH256 hash:
efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
MD5 hash:
5e6920e180a742ffa7a56865e59ff7c3
SHA1 hash:
8bdb0e5a726c52fc4b476a060c7646b678bfc7a2
Link:
https://www.unpac.me/results/f1e50f99-0164-42d5-aa96-b86f9ad70ecd/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efd586fdc04e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2503641/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2504537/
Cape
Cape
https://www.capesandbox.com/analysis/365134/

Comments