MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
SHA3-384 hash: a2a15bda365b8c2a78046105344d46aacafec00b57fd8d5a53ec9b59015454adbba0d812d49069ea2fbcff364a8fb30f
SHA1 hash: 35f7257d9347d744de2dbcee87b1662682c21356
MD5 hash: 9a1b77d1856a7fa970416220dfc0f988
humanhash: yankee-summer-football-butter
File name:rfdJHFYTjIOzuwrA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:690'176 bytes
First seen:2023-12-13 12:06:36 UTC
Last seen:2023-12-13 13:24:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:vEfuIhGy+YYUBYbrRLZbBbZu3FwTIdJd/fIyXN/7mBtKD4idggJe2JMMMDMMM:zHYnCbrRNbzwdnR/KPYdPJeSMMMDMMM
Threatray 3'758 similar samples on MalwareBazaar
TLSH T1E8E42320E35AF25BC2F9EA3578B2012322BA5E5D7C06C75334AA4E9C2576F043653F67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c44484ad8d8aa444 (8 x SnakeKeylogger, 3 x Formbook, 3 x AgentTesla)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467154/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10870.489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65799e6d8b5ba47db2e11ce1/reports/e4f45eff-98da-463c-b71c-1382f4a0b690/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea69b020-7982-4bcc-a0e2-15b589b16d19
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361338
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 09:32:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6afv7psgjappmtthqaoyya5miftkw52y7np25i6wngd7tye4jlva._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
Formbook
8ba8416d095006be656b4b4e0eaa987cd84a5236641020ebaf22b0cdf08b24ef
Formbook
b4cbf684e8873e04a1ff54c62bdb9eb5782d1cea507edc3cef13ac280f049a2f
Formbook
d92da33493917017ff937789890dfacd02c22671abd9ea8c196ea9dfd90f3a72
Formbook
f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
Formbook
+ 3'748 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231213-paay5sdha9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6336395090:AAGlS3Upwr7T6JbViy13mpkETSIn7zCu3dE/
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/61579614-6c43-4d56-84ff-8ea54fe8ef0d/
SH256 hash:
b18a10c18d214ebb3c7da95ed0775ed9f033c52ca209363acef9d9243228e624
MD5 hash:
c38cdb5a16737c83c4c9d2060d35dedc
SHA1 hash:
93801de8ca7caf42cda56f9dcdc6d808fa356840
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/61579614-6c43-4d56-84ff-8ea54fe8ef0d/
Parent samples :
f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
70369453cd6e8481ce8f2fc4fa4074fb998a27ff6f91bce6caeab0ecac36493b
SH256 hash:
069fef43dc8bef92e3ac18e5350e411877033c611be88bf9aa1c2034dd664603
MD5 hash:
2881f197e2b49ad8c2429d428ddb8ab2
SHA1 hash:
8d784dad83a2ff5aa5f30f219bd7b92c99f8ba88
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/61579614-6c43-4d56-84ff-8ea54fe8ef0d/
Parent samples :
9f58500972fe9038c23e03bbf762494b356e358aebd9125a0a55d9f9ffe042af
4708153c6d03a1d3c32475f529229073defc77516416b5d7b808a9fa345b74e1
f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
9d833b4a66beca22dcee2a030ffa0ff1a9c72eba3f9ee50eb412f56806915f87
3669763315f84b7a290c35dac2ede474e2f66915f0d3ddafb901f5bf38640d38
eaabbf2674a70aa254e89b831eb0caa7599e6fc3747e3380cea1ae5b4952d7db
70bb422c14c0a6b025b134c2f1a49c3e6c1ba206ab844f314a76dfeb308669f1
48640541d98ded5a850e2c281cd551eea3598502ab725bfa2ac4ce5f7846b3ed
9a1138a162bb083659fe3716b97ed51486af388c69929decf4db49577c826bd2
add05b10b13891172810c8f90bf624f892ad69fed993944491736cc283a31b01
7314bbdbc2d9f2a842b72db29af17e6e85ca93465a9d4ca53706c671eb86f68f
a581cd3affde45fe840caaee68d4896414839a2e863b00e248888bef5f7270dd
d97147a27a5e87a356dc86aa78f6f764805c16454453014d4b68d510487147d4
fcf48a9792abfda9d9c9d32c6e7348e4cf3fed606c4aea8acf4e2ba4fdf08caf
SH256 hash:
4d652724e1019c20f6ada42c800e6a599882a44ba0102f841dc69539f2db4f44
MD5 hash:
981372327ca7e2695b0c5e2ceea5fb03
SHA1 hash:
66695192b1c82f284a7ed42289f1221f0d65e5e6
Link:
https://www.unpac.me/results/61579614-6c43-4d56-84ff-8ea54fe8ef0d/
SH256 hash:
f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea
MD5 hash:
9a1b77d1856a7fa970416220dfc0f988
SHA1 hash:
35f7257d9347d744de2dbcee87b1662682c21356
Link:
https://www.unpac.me/results/61579614-6c43-4d56-84ff-8ea54fe8ef0d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f00b5fbe4648/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f00b5fbe46481ef64e67801d8c03ac4166ab7758fb5faea3d66987f9e09c4aea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467154/

Comments