MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645
SHA3-384 hash: f72519271c2d2a20e5e6a4c52463efd920ef3d4885434c1059cd2214a47dd3e812235bcb21656cdbb5f122c929e1175e
SHA1 hash: 6bcf9afc3b689732376dd8a276173f5a0cc7cdb9
MD5 hash: e8a910cfaff49b29e0a26ef127c79137
humanhash: jupiter-montana-item-early
File name:rNJnNhNnN877.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:794'624 bytes
First seen:2023-08-01 10:57:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:n7xF8Mvg3VIS48cc3eCWdK31HovvhBe1sYgcpBTve/xhvByh1Md9cwg:3yVIS4SVRxAwE9
Threatray 3'454 similar samples on MalwareBazaar
TLSH T114F4FE2939AA500DB3729E556BFCB5B6D05EF6F226364C7B0DF7020620129F0DB9C53A
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Our Company is in need of your product(RFQ11090023).eml
Verdict:
Malicious activity
Analysis date:
2023-08-01 04:18:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/194ecdd3-b32b-4196-8980-967f15ae3b27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439585/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5748.6064.UNOFFICIAL
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex lolbin packed packed replace
Link:
https://www.filescan.io/uploads/64c8e53c1b48787a4970c9cc/reports/673c77ad-5553-47e4-83f7-6fecd04e3384/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08836436-4f21-459e-8a6c-8d315ea24e70
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1283669
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 00:43:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=daojmgw3lyyvfkjyj4mkp7wnybluumiwibbuwguywo2rimi62zcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01ff3a6ce715226b103f3bf80bdb44737fc8bccd38119a7372d8cdcfd3b034c7
Formbook
12d7296fa8ee95861d67877223842af8b28608bc8ea32cdff1c269701da3727e
Formbook
3276e7ff57ccbea104651066c1d45301d52fbfce23d0d48f5238d82a51abd852
Formbook
35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
Formbook
74f3991c2f65f8bfa4e39a908f8d4d73d8b502fed1d9910a9ed66773c0674c99
Formbook
9292d7b24e619b853df2eefe4a41acee5fd6e7af72a42baf497bfa1d17154629
Formbook
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
Formbook
a96ec414b99747cf8859a77e2d05ea24053db3fa343474a007180dfefda658ca
Formbook
aeb52b6f9b9f7b458048aa0eba6255840d1a90f4309f18c95acc0f3f4b972df3
Formbook
bf03cd8e5554ec62c98931069f436ec71ac21d57a8922b1bb3c1958a0a9256f3
Formbook
+ 3'444 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230801-m2vfrafd43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b27d346c4dd2864616a99b737bb0122a7582123d2a4bead31073acdde0985223
MD5 hash:
7f7cbd12c752b4836f4aa87f3abeffd0
SHA1 hash:
ed89b55e3f7925cca185bedad1811f30938ae782
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d4234411-218f-4599-a66c-32cdfc4e28d2/
SH256 hash:
2bb9e8d67b2f3e0cf7db103ceb69ad38922042a409af5b3062c6d605e14cb717
MD5 hash:
582cff42bc257f5baaa2ed2970e4a12c
SHA1 hash:
4d8e8dd77e5a1956155e44972fbb3a4b0cae4c02
Link:
https://www.unpac.me/results/d4234411-218f-4599-a66c-32cdfc4e28d2/
SH256 hash:
f8fdc0c6ce42aed3a2a46809d9a458d0c22a88757df1c2fabca6f75704874cdc
MD5 hash:
897ea2bcfcc78408e4beea68b3be622a
SHA1 hash:
d1d73205372f82f286461797c707ead6468be94a
Link:
https://www.unpac.me/results/d4234411-218f-4599-a66c-32cdfc4e28d2/
SH256 hash:
181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645
MD5 hash:
e8a910cfaff49b29e0a26ef127c79137
SHA1 hash:
6bcf9afc3b689732376dd8a276173f5a0cc7cdb9
Link:
https://www.unpac.me/results/d4234411-218f-4599-a66c-32cdfc4e28d2/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/181c961adb5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 181c961adb5e3152a9384f18a7fecdc0574a311640434b1a98b3b514311ed645

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439585/

Comments