MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069
SHA3-384 hash: eafe345819a5b6d769d2c3eb57af3ada467ad91f1aa54ad80655caf55ea078d912981e632037bc8b79d6f3eca39e1aac
SHA1 hash: 02d835e5ddd68debc87e9414b0cb17d841411b41
MD5 hash: 86ae96a903a4a4d42694747153a2a35e
humanhash: fillet-hot-mississippi-cat
File name:Payment Copy_Eur22,000.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:665'600 bytes
First seen:2023-12-18 08:51:35 UTC
Last seen:2023-12-18 10:16:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:gry0oLtry0sKGL1JjbqzPNULBa2iPwFA47aADVdyKAhtHBKrJ6UvwIpGXAMP9qoM:gpgly0UJJvqz+Ba2iPw3rDbMh/rZmGQ5
TLSH T1FFE4230957EED337CC4F63B3F590A3121FB5211A6AD5F328DD6995F4494BF8AA20A203
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468270/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.15375.26341.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
78%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65800847b4e856b7281e47d4/reports/08ab8f32-0041-49a9-a756-a83f398a12f1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbf6d58e-2138-4fdf-b566-41d7335c771d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363843
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363843 Sample: Payment_Copy_Eur22,000.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 26 www.fan-shoulu.xyz 2->26 28 www.transportheaven.com 2->28 30 17 other IPs or domains 2->30 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 Payment_Copy_Eur22,000.exe 3 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 26->52 process4 signatures5 56 Injects a PE file into a foreign processes 10->56 13 Payment_Copy_Eur22,000.exe 10->13         started        process6 signatures7 58 Maps a DLL or memory area into another process 13->58 16 AcCxJLasxgdVIjYEYwFDdVPIaXAlL.exe 13->16 injected process8 process9 18 chkntfs.exe 13 16->18         started        signatures10 38 Tries to steal Mail credentials (via file / registry access) 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 Writes to foreign memory regions 18->42 44 3 other signatures 18->44 21 AcCxJLasxgdVIjYEYwFDdVPIaXAlL.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 www.fan-shoulu.xyz 154.213.65.235, 49712, 49767, 80 VPSQUANUS Seychelles 21->32 34 www.mapaktelty.cfd 109.123.121.243, 49713, 49714, 49715 UK2NET-ASGB United Kingdom 21->34 36 9 other IPs or domains 21->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 08:12:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fgbhq2nj2i3hmdyzwonz6q37kxtdwdzlmwzmurfhptkb66jebuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231218-ksqp4abbg7/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
11b517d2b0ee4895d2fe6648dc0f0fb568df5dce1c84b8f6e33b1063a410d583
MD5 hash:
3331616689dca9c26117d8d206255cf4
SHA1 hash:
ec5ebbdfdba931d5700cf7361a67848719e4a001
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
SH256 hash:
38abd7d6fb7d6966bdbe4cd7126256103a23ffd5de8e5db042e1cf77324a1c28
MD5 hash:
ed2a266a1deb44dcb808412b6ae40d64
SHA1 hash:
fa71030a213fba3f1cdfdc0ddd7b1c45d26d6917
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
SH256 hash:
4d1939f421f4de5e4992fcac96ef41d5b088b21d0f04e7e3d24ee62fba45bb34
MD5 hash:
a9b17b9813126e71d88497d5b5a34bc2
SHA1 hash:
ed84ba4c8b1ce101ed19c054a774a02011c41513
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
SH256 hash:
c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf
MD5 hash:
160f4669c06c6496d79a92ea9d33e89b
SHA1 hash:
baae226fdb2a9739f118db781bdc74f2efc6a585
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
SH256 hash:
bba03f84b01df6772053f2ae70c6387522fd4a772fa4498afdd1f2c246e85415
MD5 hash:
ff641d1ab661288cf7258a39885ed5d6
SHA1 hash:
2bb98f966fa60e70377fc0b5426b4daff7eb0889
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
SH256 hash:
f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069
MD5 hash:
86ae96a903a4a4d42694747153a2a35e
SHA1 hash:
02d835e5ddd68debc87e9414b0cb17d841411b41
Link:
https://www.unpac.me/results/cdd9af08-26dd-4505-a35d-980507756c02/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f94c13c34d4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f94c13c34d4e91b3b078cd9cdcfa1bfaaf31d8795b2d9652253be6a0fbc92069

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468270/

Comments