MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
SHA3-384 hash: 86567294dc7cb0e844583206b9a305b1cca7a5ab23347bc3938f339a1cd40da45bf36e37e527ceca78832958507a25ee
SHA1 hash: db43868ad7aa5517998c7c486d4b564d3a683621
MD5 hash: a507ce96d65b8ded1a32998e65c65cc5
humanhash: lactose-victor-hot-avocado
File name:AMED.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:564'224 bytes
First seen:2023-04-13 09:04:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:tX0+hk6HUIzCjgY9xaYZRykP8/fK+F7U+yMC3anu:90WKGC/9xZkkxEmM5u
Threatray 2'636 similar samples on MalwareBazaar
TLSH T19EC41262B2854A77D85882F50D7A982103B76C2BB971C3CD4CD738EE25F33C11562E97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b42549516949694d (7 x Formbook, 3 x GuLoader)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AMED.exe
Verdict:
Malicious activity
Analysis date:
2023-04-13 09:06:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e9e2070-44f5-44d3-a696-67d10ad918c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381976/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos unsafe
Link:
https://www.filescan.io/uploads/6437c5bff4a1f6ede14e9231/reports/0b2f73bb-91ac-4d3f-a316-33513c9f5d6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f69dffc-e252-4b66-930f-3e417d9a39ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213111
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846027 Sample: AMED.exe Startdate: 13/04/2023 Architecture: WINDOWS Score: 100 24 www.necessarymusthave.shop 2->24 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 9 AMED.exe 3 2->9         started        signatures3 process4 file5 22 C:\Users\user\AppData\Local\...\AMED.exe.log, ASCII 9->22 dropped 12 AMED.exe 9->12         started        process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Sample uses process hollowing technique 12->56 58 Queues an APC in another process (thread injection) 12->58 15 explorer.exe 1 12->15 injected process8 dnsIp9 26 www.superios.info 184.94.212.57, 49701, 49702, 80 VXCHNGE-NC01US United States 15->26 28 www.gestionamostualquiler.org 46.30.213.145, 49699, 49700, 80 ONECOMDK Denmark 15->28 30 11 other IPs or domains 15->30 32 System process connects to network (likely due to code injection or exploit) 15->32 34 Performs DNS queries to domains with low reputation 15->34 19 mstsc.exe 13 15->19         started        signatures10 process11 signatures12 44 Tries to steal Mail credentials (via file / registry access) 19->44 46 Tries to harvest and steal browser information (history, passwords, etc) 19->46 48 Modifies the context of a thread in another process (thread injection) 19->48 50 Maps a DLL or memory area into another process 19->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wucckw5t6n7xsc7mm35egkmvgvgnpj4ckbqzdv6pv77mcju2wwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
Formbook
2d65927fe82bad89afd3f4aa0428b0aa01fd5f3cf87e9ac766681b223b3fc3b8
Formbook
326165a2f6e94ec16dfcead4602ded488925b4d4bd32b04458bf2416cdf9b93a
Formbook
3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
Formbook
4a5ee921941ba55cd069a52fc95732b78f4c430a28236c3bd752ac350e4ffa79
Formbook
5267caaadc1e9d045e08de329de614b3b85f615aeec1a5927c32cfe82d493d2c
Formbook
87bbce3aff8ba59a541bd7fdc7c8df35108dd3ca5829a50448d4efee6abaac1f
Formbook
8e067a63005c0cb62a0db614acafc9e1964bfd5520c13075d04879fb2aa90451
Formbook
a0e5c335f0f479fec56a0e214fe7657e8d9b6f77cf5db53280ec1033c1dd2693
Formbook
a1896f4eab7631eb5e0daa3a5a9a9787cbb5ebc2324f4823f96e3d565b4875e6
Formbook
+ 2'626 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230413-k16fhsad92/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
47bd779a5befbead72c8229d574458242d050103404ac06718eab4be2cb39307
MD5 hash:
6bda7577ac99ef30fb7140b457e9d71e
SHA1 hash:
047e8a9766421dfff781cba58004bb404a1d826c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
Parent samples :
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
e33b0f4ba7b4fdf2db2287038d614e269eb88959acd1c6937882ad6a977d6e5b
5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
24f98f7fef3de7a8c4ae83117f7fed32c749684bc87cdcc7d1c96236d7278e03
0fdc5a8bd9026a352ad7c986e4c690f7a85924235ef648a2a313f12f9ea885d5
67c1c8e08ebe65a80ae06b9d4011567f4cd8d1e05479b88e061a818dfe467493
37dd8f68f4822145ca8fbc462d106ae15fecb420f910b5c122d0a3fc0272265a
SH256 hash:
d5ae693ca9561d9b6756f25f0d88573e4b10287ce2dde30993303ececbe9e780
MD5 hash:
644813507d720f1ecb69c1fb563491c1
SHA1 hash:
2d1e046b4160bcc1b7f0e2cbefeeeaf6bc5ee11a
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
SH256 hash:
f3bdd84a36617feeb875d40b1a21771a189ec261af862a6f4d0bffc1bffcd578
MD5 hash:
51602938272a49851a6c79caa398247e
SHA1 hash:
357b061129fa60b37148a8bbf4b8629c8c70babd
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
SH256 hash:
a2e8c5e2a94573dbc48bf900bc5148bcc37e0147eb7c3064ca6718ae308fc5db
MD5 hash:
4de9850465b87744f38e46d93f7e6adf
SHA1 hash:
097ea4319be1ea5732fc152f870fbde6791f7aab
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
SH256 hash:
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
MD5 hash:
a507ce96d65b8ded1a32998e65c65cc5
SHA1 hash:
db43868ad7aa5517998c7c486d4b564d3a683621
Link:
https://www.unpac.me/results/35128746-957b-429a-8ac8-892beab32f33/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5a8212add9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381976/

Comments