MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e
SHA3-384 hash: 2ff041542e2a17f58e0ec34e95bff93c8ed825e0ba872890d27c6a0c0a39fde345ad2f69b3189f768aee1e8a5e7ca0e9
SHA1 hash: 591b092698eee1cc31f27776d546cab94827e5e1
MD5 hash: e7344fe54449154d7babd65e5ee9b3eb
humanhash: rugby-chicken-sixteen-pluto
File name:PO-9192 & PO-9193.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:710'144 bytes
First seen:2023-05-29 09:53:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6+MmzZBEP85DJzExn3bjns9bYW7WfXc7j8sjNDcUT7UM4vhXwiRQY:n9BEP8TOnrjs1Y/qYsjNDcUPUM4dwiRP
Threatray 2'920 similar samples on MalwareBazaar
TLSH T1C8E41268356E7F26D13EC7F980603A7053FBB55B7132E34A0EE7A0CB6166F410641A9B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-9192 & PO-9193.exe
Verdict:
No threats detected
Analysis date:
2023-05-29 10:02:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/507e9506-28bf-4c4f-906a-d38965d7aa66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393020/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33791183.3184.24175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64747643121fd25a23a702b8/reports/4396fcd2-15a0-41b3-8266-9592488f5a34/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bdb4bf5-b55d-40cd-ad60-88e6eef1475a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1244388
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e/
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 12:07:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7v3vvbubeagenhh5xwuu2xe43y2fjszbusshqo5nhktepsvug6ha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
Formbook
1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63
Formbook
2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
Formbook
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
Formbook
28981de1a7a9617749fe0a5d19b8e0c80b2dc082118c1ca1b95e475df34e44a4
Formbook
8b9641ea4b07a7e2e48a7be9f45a20b7c0663838d5430c90b452729843f4ea21
Formbook
8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3
Formbook
92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c
Formbook
b0f2f1f1ca40e62865e6e6024ccb5ef8691431c037289e5544ac69230d9b943d
Formbook
e5a75ed3a164d322279af143c007028a5e94a52c11e4fa674c37a48c79237d27
Formbook
+ 2'910 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230529-lw7y8abb59/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
be1d91f54ac3942f111540df45f8e5707dd09cf6592c3a6518f1e21c7edb7d88
MD5 hash:
581f5b68a96fe615550382611224c96e
SHA1 hash:
6b7234fa3b6b5192846e14e2cfad82b2ee41ff5e
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
Parent samples :
92260cefa8e973f4c40e32aa5656cc9794b745db70b5c7b410a7b0b10c443c6c
2400be915c3981fa03b79f750cc5e37ae832d21e5e7f6bbd6753761286b036cb
8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3
fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e
SH256 hash:
72b312931b9ecd4fbadc34e2d7a8808bcc27e007708490852a376c5df4690b38
MD5 hash:
db346564f5c72876cd6c9c6874f337e2
SHA1 hash:
feeb48062a5228bc706fb86fa81f5b34fe748475
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
SH256 hash:
486e75d1da26c8574ab6d26d35654cf20ec98e67d172c76d8bbf6147751fd597
MD5 hash:
d7f493c1e3b1132f04b9e77199c86703
SHA1 hash:
db01ee72227dbed3ede523f706ff31769729a084
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
SH256 hash:
23f57d875ce78ceb06f6e708827576ceca82b28c7b5aba6b509299b4cc65482b
MD5 hash:
3c81c738ec4d9a64871eecf5ef06c718
SHA1 hash:
a59c00b3eef490e5fa93e16c6bd7aa3f49476e9f
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb
MD5 hash:
803e0c67b76960ff5d9ccb360ba9636b
SHA1 hash:
836d339682618638c6b2e3d156ad66a56e4f9ba5
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
SH256 hash:
fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e
MD5 hash:
e7344fe54449154d7babd65e5ee9b3eb
SHA1 hash:
591b092698eee1cc31f27776d546cab94827e5e1
Link:
https://www.unpac.me/results/33999776-9db5-49de-98c4-0299086280d1/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd775a868120/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fd775a8681200c469cfdbda94d5c9cde3454cb21a4a4783bad3aa647cab4378e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393020/

Comments