MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
SHA3-384 hash: 6cfa63f00ea98fbfb060ad0719db8d21be46b445551d6d2ac77a546d25ff93757e540831697f83acf71f07560d174c6d
SHA1 hash: 7beae4e0dd227ff868380e9dfdca414f87772f7e
MD5 hash: d21ed3a98d73778ae8a252095bd1a52b
humanhash: two-georgia-three-six
File name:PO 042023BCX1.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:750'080 bytes
First seen:2023-04-21 12:40:32 UTC
Last seen:2023-04-24 07:59:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JkimwVEr8HMH91DzZLXNCuJyRYJK3efS9ccOKwWc5cYXMZDliTpFKSe7SdaFEw:5mAEr8HMd1DtLXNCuJEgS9ccfhY8RsEf
Threatray 2'668 similar samples on MalwareBazaar
TLSH T114F4E1D5775AE752C2583D3D52EA71282B7089C7E927CA39FCC811993E267C91F8038B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0070696969696000 (12 x Formbook, 9 x AgentTesla, 5 x Loki)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
257
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 042023BCX1.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-21 12:42:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2db2e6e7-f569-4d52-8386-f1fbc4b5e0af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383940/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6442845f90012911b698c706/reports/e056c5d2-e0e3-4b77-b412-79183a82460e/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a9b4499-683c-4b7d-aec0-ac63fb838680
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1218607
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851557 Sample: PO_042023BCX1.exe Startdate: 21/04/2023 Architecture: WINDOWS Score: 88 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 4 other signatures 2->26 6 PO_042023BCX1.exe 3 2->6         started        process3 file4 18 C:\Users\user\...\PO_042023BCX1.exe.log, ASCII 6->18 dropped 28 Injects a PE file into a foreign processes 6->28 10 PO_042023BCX1.exe 6->10         started        12 PO_042023BCX1.exe 6->12         started        14 PO_042023BCX1.exe 6->14         started        16 PO_042023BCX1.exe 6->16         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 03:58:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arsb4jduigtszmuhtgfw6nvutfm5iph66u4n3adk5ickqydic75q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10e1fd083fbaa700f1580863bc6bdc928fff23f2edc479c6a8d4e3d7ff57926c
Formbook
2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
Formbook
24f98f7fef3de7a8c4ae83117f7fed32c749684bc87cdcc7d1c96236d7278e03
Formbook
3b86e5743a7a35e6c3e1dc7cb1a844299e7b1f9eeea5bb7e51ca0de52b808803
Formbook
52582001ebe2883d2f5b20f0de69b42c27aef25ec30e09e1a294b9ae2c8131c3
Formbook
5c205cffc83f7be274773fb1c3aa356b29d97e4d62a83e79c5fd52eadc3ed695
Formbook
896d0711b287b0914d88b93ff8d06623c60f45b405e12cbc34a406e09942a577
Formbook
dd208244eb1a5fd616173f4dd0ed419bcfc360c5c3237eb0510b4f97fa22b72d
Formbook
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
Formbook
f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e
Formbook
+ 2'658 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230421-pwrtsafe62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
72cc5f1c7dfee6ddc819c225cdc5b67f420df1cea6ed1d5fd6dc8b4a9db16809
MD5 hash:
cea6d046843a5e5bf4b9badff15faf8b
SHA1 hash:
a8b6e8ea5b1c212cc969ed4aaa791b470f9b3948
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
Parent samples :
04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
77133e6383dadf832cbb0e1add33a1aa440b7f280a69d65038323049d1a76bf4
SH256 hash:
774815f05690d68525dc42542ce9caa4ba63652338787318340f41ef61ed7d2f
MD5 hash:
875b5743fb0f010fd133eba77dbf65bc
SHA1 hash:
bc748a38387576cd7ff0a7d43337b7970f0d794a
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
SH256 hash:
2bd5bf8c2ef6bdc10b39d738edac6a31ba1e2a2e442be38e4ac4a1c0d6cab4d9
MD5 hash:
61b5bcf906adaf3f6078e4b783fffd33
SHA1 hash:
cd85f647cee68198f1ffbc4e8f5e3db4141a5c2b
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
SH256 hash:
77a736dbd80cbb56b4dd654407c33341475a9632d19ce247cbe19c23659db334
MD5 hash:
55ea37b71054d23a3b4e05c234f87da3
SHA1 hash:
9ff98b0e283b97efba5be33e4c1dcff75f791980
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
SH256 hash:
04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
MD5 hash:
d21ed3a98d73778ae8a252095bd1a52b
SHA1 hash:
7beae4e0dd227ff868380e9dfdca414f87772f7e
Link:
https://www.unpac.me/results/7910e2c4-ddb2-4d2b-90c8-adc9ff0f9028/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04641e247441/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383940/

Comments