MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
SHA3-384 hash: 84cb320d16132dce452e396214e7e6e0b489ac90e59e64a0d91c00cd0f255e7903367f82ce615a5bf9556e804fe46736
SHA1 hash: 69d17652d59b5551556c55cfa2cd83c9c12f35ab
MD5 hash: 992d8ee03684e44641e0414d9f3dddbc
humanhash: sixteen-mobile-oxygen-nuts
File name:TKHA-A88163341B.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:739'840 bytes
First seen:2024-06-17 13:36:20 UTC
Last seen:2024-06-24 11:52:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:j2iNvFIsPANmEJL6Oa60fLk3sZYbqk7ZHQ6ktQSEW0OHh3x1mM+9lspEsxrGZoSQ:j1DIKbEJOOa60TkZPSbaSEW0OHf1mM+4
Threatray 724 similar samples on MalwareBazaar
TLSH T130F4229A37EC67B1C6BE0BF9AA7440610BF66E0471E3E35C5C8621CF28637158725F62
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
328
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6.exe
Verdict:
Malicious activity
Analysis date:
2024-06-17 13:37:29 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/ff57d2f7-7709-4def-bb2b-01f466f81f6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66703d430f8138dd4eab7c5awin7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Static Nekark Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/66703c0d6b8dba248b4209a3/reports/19de4dba-6474-409b-89a9-6204c831ab17/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ff41526-0ca0-4eb9-87e1-69d2c599ea2d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1458360
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458360 Sample: TKHA-A88163341B.bat.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 61 www.lenovest.xyz 2->61 63 www.x5hh186z.skin 2->63 65 19 other IPs or domains 2->65 79 Snort IDS alert for network traffic 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 87 9 other signatures 2->87 10 TKHA-A88163341B.bat.exe 7 2->10         started        14 UBLIfVqa.exe 5 2->14         started        signatures3 85 Performs DNS queries to domains with low reputation 61->85 process4 file5 53 C:\Users\user\AppData\Roaming\UBLIfVqa.exe, PE32 10->53 dropped 55 C:\Users\...\UBLIfVqa.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\Temp\tmpFCD.tmp, XML 10->57 dropped 59 C:\Users\user\...\TKHA-A88163341B.bat.exe.log, ASCII 10->59 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 10->89 91 Adds a directory exclusion to Windows Defender 10->91 93 Injects a PE file into a foreign processes 10->93 16 TKHA-A88163341B.bat.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 25 schtasks.exe 1 14->25         started        27 UBLIfVqa.exe 14->27         started        29 UBLIfVqa.exe 14->29         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 31 OFUHgZbPlAqQCtvioSpTxEQkFhqqba.exe 16->31 injected 75 Loading BitLocker PowerShell Module 19->75 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        process9 signatures10 107 Found direct / indirect Syscall (likely to bypass EDR) 31->107 44 compact.exe 31->44         started        process11 signatures12 99 Tries to steal Mail credentials (via file / registry access) 44->99 101 Tries to harvest and steal browser information (history, passwords, etc) 44->101 103 Modifies the context of a thread in another process (thread injection) 44->103 105 3 other signatures 44->105 47 OFUHgZbPlAqQCtvioSpTxEQkFhqqba.exe 44->47 injected 51 firefox.exe 44->51         started        process13 dnsIp14 67 shahaf3d.com 64.46.118.35, 49752, 49753, 49754 SINGLEHOP-LLCUS United States 47->67 69 www.klimkina.pro 185.137.235.77, 49748, 49749, 49750 SELECTELRU Russian Federation 47->69 71 10 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-17 05:31:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nkdc6kxc7zz37e4eqtk6mkyfnuypkc7m25d6uglu37imvmjx7la._file
Verdict:
malicious
Similar samples:
28cf97f72cdba738fe94806e047be6ed4b261c1ef1eceec6f4f30a511d914aa7
Formbook
57826299a05b5202efad57e0b8580ffad6d90feace9734a5aceb3a0d945fbeee
Formbook
dc2e8a0f43a7ba9dc6ccf14dfda7e6ddd366d137cf774e221b09165ca6b414a8
Formbook
e3dc38ad4bb6f9e5109ff01bb417fef1e9ba7e3f269d3528ae19fc868809c123
Formbook
+ 714 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240617-qwt5ksxcqr/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
63dac3a59d0a77ef2c50490df0602032664a113cb80c53cc686649be467e8be2
MD5 hash:
576bcab19ffe826ab1df342dcf621611
SHA1 hash:
aab4da2d28c0fb3254d86102db5e12f151f68d94
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
Parent samples :
94818e3ff52e10a04fcd1759813020d73907ce10e9f6906ee98fd26c7da13aa3
ec436ac4230b5aee3167ff520d0c1d9e0083749e15d93e5cf2294537816e83a0
fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
SH256 hash:
042bf55cce3b50c409a4af61b0c330b7ef15a30914376d8dab04e7b6a1332d99
MD5 hash:
9c9b47f2da1e68d976f6964a6a4007e9
SHA1 hash:
cef1c5766ab3061b02541e113a448f1ce6b8e1b4
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
4c69437931f31ac36c7ca6801e4fa1dd896e525980fe1304994d7b2d4bec21b6
MD5 hash:
fd8b4d583f055880bc1337c9ce773406
SHA1 hash:
ad63e31f72f5b34dd6df74f381d5b41481d8c1c1
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
5899a025ed5a888a09f4b90d3aeaa4fc00bf2dfb2d46a57b5a9dbc821f42cbe4
MD5 hash:
39ed6f38b5cdc924c5483f2477aff448
SHA1 hash:
c66bb4c943a510750a4e126d6ec8d80f7b316913
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
c4b12039bfed4c8bbb9d1376004da60480e49a379a84c9e60565bbd5caef07b2
MD5 hash:
144f7fcaaa3b81b0a3706203a7f1add8
SHA1 hash:
4bc14913fd448b4a2664e1e9ba664a1c6e9a9194
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
ecf1257cb2839319c722daf5323ba2ed7060368b46f84610b6b6823323297826
MD5 hash:
cba51dcdec84ac14ce1eaf2ede86f28b
SHA1 hash:
2e77e64525600817d96b4d9c497135c989e608ee
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
084177c2a923bc54e7aad3a3059315f3aee431c3453c6e93a302090be603fff8
MD5 hash:
9bba040f33cea47050336295c8c6ea8c
SHA1 hash:
ba2a1fed4c16819058d5e3101323fd338bc51426
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
6f1eccb01dcc3752b20750d7bfcff492caa42db1d780884b6f931723001156cc
MD5 hash:
52054b62211451c43f1b6a810c0012cb
SHA1 hash:
54d17a58ab8b384e6e1211b3442a86989084f842
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
94839825a62f37a1fc592004de4c8135332280c0c4d4338b35831b0be9d4a1a8
MD5 hash:
2f0a8a80c5dff55e02430a437b4751f2
SHA1 hash:
32f2660239b1a167f7228c16d882235086ba050e
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
5859b6a1bab1bebb079761ac646d927fdf8ce82eeb87dc19d542d4fe074518f3
MD5 hash:
70a9cc6f822798a395cfe685314723c8
SHA1 hash:
30f00700e9ce21c69d16bdf2842be74f917e428e
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
0808a391d917d0b3eda26330eeb6bfe11bd911a6879414c775efad9e964bb3d0
MD5 hash:
002448c5aa62cc99264605c0b2a06ed3
SHA1 hash:
2bfdf10520e4e8c193d47369788c1deb8c37f74d
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
359594e8cd7ac6714913e7f23193248711196221c0cbf404fc65c81e3bcdcab1
MD5 hash:
6ec4556a7c44a177d7c4676c603ba4cf
SHA1 hash:
1ef1b9f0be5604fe5fc02b702aa58999d665d179
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
SH256 hash:
fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6
MD5 hash:
992d8ee03684e44641e0414d9f3dddbc
SHA1 hash:
69d17652d59b5551556c55cfa2cd83c9c12f35ab
Link:
https://www.unpac.me/results/0603f236-6ab6-49d1-ac50-c43e116aa8d0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb5431795717/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fb5431795717f39dfc9c2426af31582b6987a85f66ba3f50cba6fe865589bfd6

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments