MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575
SHA3-384 hash: 55614f004d69d04208ad6751850829f049d3edcc2f978364aca759d7a6d49c4b6090e10f7f3dd9ebe121ccc3a27f934a
SHA1 hash: b338a8e8a6cedfca7ad0432d766604138d481735
MD5 hash: ae7060c5601894ec5c50d229ea5417ec
humanhash: december-pizza-summer-london
File name:ae7060c5601894ec5c50d229ea5417ec.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:407'022 bytes
First seen:2023-11-22 17:30:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:XBlL/0F6wKv62AYP9ke+uyJEEp2XnnE8qP2QOyCwT3yLmMgu9cWdq1bj8HyxOf:R26y2AE9kb59qnE8YlxTogn91bj8Hpf
Threatray 18 similar samples on MalwareBazaar
TLSH T1BD84221033D9D853D48449B14CA7D7B8D239BD086A09FA472B507FB77A2D1FF2B0A16A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8fcd0e2f2c0ecc4 (2 x Formbook)
Reporter smica83
Tags:exe FormBook HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459741/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32534.30778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f8985c4-5673-46e5-9f37-16b60317c968
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346544
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1346544 Sample: qWmFFs9EQd.exe Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 32 www.speedbikesglobal.com 2->32 34 www.sorenad.com 2->34 36 20 other IPs or domains 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 2 other signatures 2->52 11 qWmFFs9EQd.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\Temp\eonlnq.exe, PE32 11->30 dropped 14 eonlnq.exe 11->14         started        process6 signatures7 62 Multi AV Scanner detection for dropped file 14->62 64 Detected unpacking (changes PE section rights) 14->64 66 Machine Learning detection for dropped file 14->66 68 2 other signatures 14->68 17 eonlnq.exe 14->17         started        process8 signatures9 44 Maps a DLL or memory area into another process 17->44 20 tfHyPtOEFv.exe 17->20 injected process10 process11 22 typeperf.exe 13 20->22         started        signatures12 54 Tries to steal Mail credentials (via file / registry access) 22->54 56 Tries to harvest and steal browser information (history, passwords, etc) 22->56 58 Writes to foreign memory regions 22->58 60 3 other signatures 22->60 25 tfHyPtOEFv.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 38 belaflorloja.online 162.240.81.18, 49769, 49770, 49771 UNIFIEDLAYER-AS-1US United States 25->38 40 www.hcfa-cis.com 91.189.114.7, 49753, 49754, 49755 RU-CENTERRU Russian Federation 25->40 42 11 other IPs or domains 25->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 17:31:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idigg3j6yiuhubyatmc2rpl5ifb3ns5tl25jyi6zz7jdtshzyv2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4169bc8ef83d44e5cd72de2f88c40602f7840d578e1ec0bbdd9b2a874bb75c4c
Formbook
86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
Formbook
bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
Formbook
ddbd4b7c13d365eb339aad4d0e2deb0dff4b50287d5111f57ca8756f3746f940
Formbook
e49ad42b1f8c0cdfe8843ba366ff3edbf42c3e11bfb747a847e78230dfe8e202
Formbook
ecc081d22527f522ace5ca77d6991d355985b268f718e3ec60826d94dd8081d8
Formbook
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231122-v3pwnaee6t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d9ede5a5a396b07f2d37034d2aba3ca1255dddbca968d49e67978401a50a5e77
MD5 hash:
90fb7db7a9fa15be3af7705b40f6b955
SHA1 hash:
78bc2ba84acbc4c4664625f4683e6bae2e38300b
Link:
https://www.unpac.me/results/05fbb4b8-a20b-4aaf-b71b-a3f0e2adaee6/
SH256 hash:
40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575
MD5 hash:
ae7060c5601894ec5c50d229ea5417ec
SHA1 hash:
b338a8e8a6cedfca7ad0432d766604138d481735
Link:
https://www.unpac.me/results/05fbb4b8-a20b-4aaf-b71b-a3f0e2adaee6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40d0636d3ec2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40d0636d3ec2287a07009b05a8bd7d4143b6cbb35eba9c23d9cfd239c8f9c575

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459741/

Comments