MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b
SHA3-384 hash:	788eae0825dd52d2df15276f650dfccbfde49830272889d2f846feb044f2ab25b16713a0fea5f8f0299c76fb1d751ee4
SHA1 hash:	9ba15e67bdf1af12ef5a975634ce767be8f3219c
MD5 hash:	2d97dbe3882c05bb2281b27d21675218
humanhash:	romeo-undress-angel-earth
File name:	z1CurriculumVitaeIsabelGonzalez.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	276'766 bytes
First seen:	2023-06-28 11:06:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:wYa6OVOayqELplP5XTFD7okEkUEEcTsNPMj9xO3ckGUXX9SKE:wYAgayqSpR5XNr7TTsNPMm3yAX9zE
Threatray	1'614 similar samples on MalwareBazaar
TLSH	T1E54402C4ABB994F3E9524E32113ACA09BD75ED3819409B874600FA6C7EF52D29D0F367
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter	FXOLabs
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

356

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

z1CurriculumVitaeIsabelGonzalez.exe

Verdict:

Suspicious activity

Analysis date:

2023-06-28 11:09:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ce1c183-4451-40a3-9128-d9b3781609a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/403452/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.21849.31973.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/93976/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/649c145792fd95d811253f25/reports/30099a6e-c260-44d7-bf9c-e26ecb836b67/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/279ff695-2768-456b-b465-8a44427358b5

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1262602

Signature

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-06-28 10:47:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=icuehidahuh6lbnigrb7jxhynrfym4jcsrxckrb4lqzir5lo7wfq._file

Verdict:

malicious

Label(s):

formbook

Formbook

10cdd9119cf9d3bdd4eda712d160a49c77f469989053ec08291f63078cea5a99

Formbook

213002db79b1a5e11521190f9f11fcdda96e24ab0f382fff8b9f6347c618631d

Formbook

4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

Formbook

564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de

Formbook

7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a

Formbook

99ec8b8e93e7a91dab1a16b9353333fa340d52569de4b88f5703bbc5a666211c

Formbook

d004812639335fc21774851e271241aaead5918a69f978e1aedb6b573b6cca1b

Formbook

e4ae7f58c9e924cc6dac0208b5f6438e15174d978d013e0125f814af1509afb7

Formbook

e904274bd2e5d919c63c6db8c82f908abc10d65fdba772596e2953ab708b1726

Formbook

+ 1'604 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230628-m7zbwshb36/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

606b7769d9be963ad8fdaad3d4aa172a6e3cbc58dd335a34a858b38f0938da07

MD5 hash:

8ecf2e333a66e25a9b7bf2d727d9a3a0

SHA1 hash:

c28d64b57e63c06188663a1e6bb72888b970bf82

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

Parent samples :

40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b
6e4fa72cffa8c6cbfac487753758461e7c066e4390954ec1bd4fd26223111fdf
ad1ca63f77662125df76d05e0b575113787abacc09017c0ef6ded375dd8259c3
a399b54dead35ab80699f0fb8264873b2409ba363238829194eeb28e532e17d0

SH256 hash:

90f63cd736c3bb22bebed8db95204533fe328900a98c6843ba71a013bf6b6ba0

MD5 hash:

b3d8a923d89ad7359f24dcf1be412ebf

SHA1 hash:

0a68d61aa5be3f1d828dc57b394e6ce9caa4a0c0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

c861130e929708464fba4e563356fcd314fff60b537952a3221aeb21175245fd

MD5 hash:

98e47be09c31b6d8d7e9f967884e025b

SHA1 hash:

ae41b3d9e8ffae62f4eb02493c848dc9f625d7ba

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

606b7769d9be963ad8fdaad3d4aa172a6e3cbc58dd335a34a858b38f0938da07

MD5 hash:

8ecf2e333a66e25a9b7bf2d727d9a3a0

SHA1 hash:

c28d64b57e63c06188663a1e6bb72888b970bf82

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

Parent samples :

SH256 hash:

606b7769d9be963ad8fdaad3d4aa172a6e3cbc58dd335a34a858b38f0938da07

MD5 hash:

8ecf2e333a66e25a9b7bf2d727d9a3a0

SHA1 hash:

c28d64b57e63c06188663a1e6bb72888b970bf82

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

Parent samples :

SH256 hash:

90f63cd736c3bb22bebed8db95204533fe328900a98c6843ba71a013bf6b6ba0

MD5 hash:

b3d8a923d89ad7359f24dcf1be412ebf

SHA1 hash:

0a68d61aa5be3f1d828dc57b394e6ce9caa4a0c0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

c861130e929708464fba4e563356fcd314fff60b537952a3221aeb21175245fd

MD5 hash:

98e47be09c31b6d8d7e9f967884e025b

SHA1 hash:

ae41b3d9e8ffae62f4eb02493c848dc9f625d7ba

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

90f63cd736c3bb22bebed8db95204533fe328900a98c6843ba71a013bf6b6ba0

MD5 hash:

b3d8a923d89ad7359f24dcf1be412ebf

SHA1 hash:

0a68d61aa5be3f1d828dc57b394e6ce9caa4a0c0

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

c861130e929708464fba4e563356fcd314fff60b537952a3221aeb21175245fd

MD5 hash:

98e47be09c31b6d8d7e9f967884e025b

SHA1 hash:

ae41b3d9e8ffae62f4eb02493c848dc9f625d7ba

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

SH256 hash:

40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b

MD5 hash:

2d97dbe3882c05bb2281b27d21675218

SHA1 hash:

9ba15e67bdf1af12ef5a975634ce767be8f3219c

Link:

https://www.unpac.me/results/bf3e6c72-6c1a-4d3f-9677-6d79b291bc57/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/40a843a0603d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 40a843a0603d0fe585a83443f4dcf86c4b867122946e25443c5c3288f56efd8b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/403452/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample