MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
SHA3-384 hash: bd744fa942fe638e9504ffba6378a84e9c8465bf7a7762bdf5cccf849abfbb4c8cf20882727bbf2d48aaf073c92391b3
SHA1 hash: 8ca066ef5fcc5ad9bb4c9d90d5f4a2e404aa0f40
MD5 hash: b8499f9080bb9e31a11a86e0807d406d
humanhash: october-cold-glucose-leopard
File name:f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
Download: download sample
Signature Formbook
Create hunting rule
File size:772'608 bytes
First seen:2023-04-03 13:43:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qYPmYMUnFW/NyboltiAhtHTxePHsKyvZyc6R7IokYabOP76yfA5:qYPUwkziyHTypyBycMsRYabOPDY
Threatray 2'459 similar samples on MalwareBazaar
TLSH T157F401346BAF9139F93A1BBC85E42691976E73B35723C44D14B211CA4B63B038AD172F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 209488c66eb85922 (14 x AgentTesla, 7 x Loki, 7 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
Verdict:
No threats detected
Analysis date:
2023-04-03 13:43:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2eedee6-7ccc-4f54-b73a-797724865012

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379715/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/642ad82386877205784f589e/reports/a3fa4c16-932f-4da0-a36d-1d0a4a2a4c6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13517b91-2a1e-4959-ad5e-3016aaa6e133
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207091
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840004 Sample: eK7wjZyiSZ.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 26 www.lsutherland.co.uk 2->26 28 www.croboc.com 2->28 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 4 other signatures 2->44 9 eK7wjZyiSZ.exe 3 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\eK7wjZyiSZ.exe.log, ASCII 9->24 dropped 12 eK7wjZyiSZ.exe 9->12         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Sample uses process hollowing technique 12->58 60 Queues an APC in another process (thread injection) 12->60 15 explorer.exe 1 6 12->15 injected process8 dnsIp9 30 www.lsutherland.co.uk 63.141.242.43, 49700, 80 NOCIXUS United States 15->30 32 www.cardinialethanol.com 96.126.123.244, 49715, 49716, 80 LINODE-APLinodeLLCUS United States 15->32 34 10 other IPs or domains 15->34 36 System process connects to network (likely due to code injection or exploit) 15->36 19 wlanext.exe 13 15->19         started        22 autochk.exe 15->22         started        signatures10 process11 signatures12 46 Tries to steal Mail credentials (via file / registry access) 19->46 48 Tries to harvest and steal browser information (history, passwords, etc) 19->48 50 Deletes itself after installation 19->50 52 2 other signatures 19->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37/
Threat name:
Win32.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 02:29:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ixc2gtjapgozutrvcziprbh6qjh6wlgx4lwdtykbzihdp7jhq3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
Formbook
1e525975cec93758de32a42e3385aa8a8b285a2556a0048c2f4bcf2106d2529b
Formbook
22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7
Formbook
363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
Formbook
55539014be63262397d727fb06f42992bf43a3429eea2cfbd671db0e0746e9e6
Formbook
84b41f626786ed7a54e2fa20578126a1865c4b070242df9a535178d576a6ca91
Formbook
85ec808ea496cecaac7987b39f394e96b0c13c83bba11a754ab6a91141fae2ac
Formbook
90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
Formbook
e4432b656843ac5be19e0d5d5e29cc57c855f0ec514b67d93d0e8603567e2ed5
Formbook
+ 2'449 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230403-q1tdvafb32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
53f3bceda55aa98f261a4fc63d8dd4726a38994e188b33bbd7fd50fa1a975c9b
MD5 hash:
d4434e8b2342e61f54d228d6df31f812
SHA1 hash:
9f168691f334ef9c8a109106ba588bbba550e043
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
Parent samples :
85ec808ea496cecaac7987b39f394e96b0c13c83bba11a754ab6a91141fae2ac
363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
SH256 hash:
59017a6310baa0bed9e81421e0aa5c0e4502cfac22d04e831a01b0b5ca2d2ffb
MD5 hash:
e604fdff24a148a78940020b9e70f6d6
SHA1 hash:
095d30c80275839590aafd0fadb13fa8e7508b75
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
SH256 hash:
8c94dbbc9fa42cb45b8f6ba134df4ec28dd24c5dd93f80d286eff7552d073e11
MD5 hash:
895b9bc06dacb5097757497c4317ae0f
SHA1 hash:
c3f4579fca0325ac3189b6089eeb5d052df66701
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
SH256 hash:
f228490bf18c3eb6bf9fd5cebf5e19b42882298b84d56d5d39fc03e1b2ce4e36
MD5 hash:
b8cd9200d5e40b0c30caca1ad7215499
SHA1 hash:
a27d7b274448325fab88b78e2ea0e271672fad5c
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
8629d23ee65861fe334cab84bb0a707cb4ebe0b82325b0749609af56e966949a
MD5 hash:
90d8900c342a8023ee370603077be9b9
SHA1 hash:
56fce5c0de651e28890b63418c9073813565a3a9
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
SH256 hash:
f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
MD5 hash:
b8499f9080bb9e31a11a86e0807d406d
SHA1 hash:
8ca066ef5fcc5ad9bb4c9d90d5f4a2e404aa0f40
Link:
https://www.unpac.me/results/1d2a4b28-ec70-49d5-997f-3e1b1a4f750b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379715/

Comments