MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144
SHA3-384 hash: 52f2df2627e6394de10d7c957d6dbf07a0084990b15af83728c3acb0522f08b83f05ce03a6bfb09ff2a2afc2c3571edf
SHA1 hash: 0e50bd3079fff410751886dc88ef2e7aec5ca53e
MD5 hash: 1bc1e23e2e7712b81031b97a96356732
humanhash: nevada-undress-salami-minnesota
File name:1bc1e23e2e7712b81031b97a96356732
Download: download sample
Signature Formbook
Create hunting rule
File size:561'152 bytes
First seen:2021-06-25 07:40:26 UTC
Last seen:2021-06-25 08:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:i5mL4Dy2vAv2ItTPYGYo0Rf/WeoCATFEW8kNQ/wTal9jLukP:i5n5vAuIZPYGYo0Rf/oCbGal11P
Threatray 6'084 similar samples on MalwareBazaar
TLSH 53C49C273004D97FE333CC7D8809D1657D936E2618A5A51D66D933BE15B232222FAB2F
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bc1e23e2e7712b81031b97a96356732
Verdict:
Suspicious activity
Analysis date:
2021-06-25 07:43:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/38af7e7b-66be-4a6c-9b71-5df80d961602

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168266/
Detection(s):
SecuriteInfo.com.Variant.Bulz.527935.17375.26956.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9723117-f7fd-4919-b426-67e3b540c261
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807985
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440396 Sample: 4xXZeLNSc0 Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 8 4xXZeLNSc0.exe 5 2->8         started        12 explorer.exe 2->12         started        process3 dnsIp4 28 C:\Users\user\AppData\...\4xXZeLNSc0.exe, PE32 8->28 dropped 30 C:\Users\...\4xXZeLNSc0.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\...\4xXZeLNSc0.exe.log, ASCII 8->32 dropped 44 Writes to foreign memory regions 8->44 46 Injects a PE file into a foreign processes 8->46 15 4xXZeLNSc0.exe 8->15         started        18 4xXZeLNSc0.exe 8->18         started        20 4xXZeLNSc0.exe 8->20         started        34 www.aperibe.com 154.204.156.156, 49748, 80 ASLINE-AS-APASLINELIMITEDHK Seychelles 12->34 48 System process connects to network (likely due to code injection or exploit) 12->48 22 raserver.exe 12->22         started        file5 signatures6 process7 signatures8 50 Modifies the context of a thread in another process (thread injection) 15->50 52 Maps a DLL or memory area into another process 15->52 54 Sample uses process hollowing technique 15->54 56 Queues an APC in another process (thread injection) 15->56 58 Multi AV Scanner detection for dropped file 18->58 60 Machine Learning detection for dropped file 18->60 62 Tries to detect virtualization through RDTSC time measurements 22->62 24 cmd.exe 1 22->24         started        process9 process10 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:07:40 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
37e98fef85aeb5097a5091d11fc844487642873e9e06a8d0734785dbe1ad1315
Formbook
38c8743572d600fee9623ff305b4e6a78c033576f4ca63e6e5f8ab1c9f6047ce
Formbook
5372118bedc7e54daeed321ca6e2271d9a53dfe37ffab9b9f8ea91e8a3520ef5
Formbook
6aca638f8c9405c4c02bb3f2b5f5e5bc9d5596f8c68a57fb99347031415b584b
Formbook
964879f3193645b71e10534ec04ea701bccf583f3f17c7d8ca3daeac0454d97e
Formbook
98b0ffba12ebffdb7f0ebeaa1a9c402098c1b3fc6d7b9a68ece1ec73855abbd6
Formbook
cccbd0b2d46adeb6d99413af4d5a4492cd530922a09724f04c8fb1e0c47d8326
Formbook
d26002db103997db131096ea22189a0f4f2a5a17fea7d100796d5148f1815447
Formbook
e197309f79a43cdeccdc0b69344a36abc6c23fb8eef66063e4eb5cc443ee9d4d
Formbook
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
Formbook
+ 6'074 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210625-2skq6a495x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.hai96.com/lvno/
Unpacked files
SH256 hash:
7de004bdab6a4a8912d182e30147feaf0287ae0b96eefca51ce40f61e6623e0a
MD5 hash:
6bc985d34b5b808156fb1b59dac39b55
SHA1 hash:
282d6ca56c5e4a9660065d1b88ae3c749607a68a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/90c4a5f2-82fe-45b0-91f4-02426c11756f/
Parent samples :
d26002db103997db131096ea22189a0f4f2a5a17fea7d100796d5148f1815447
432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144
e3f49f0b8d0d27770f262483e2931ab3c5d7683d2d2e086e97e99b1100269589
ed1c8e0943e3e4877bc1732debf2c109ebe42dd4f88023db3b85246f25906601
SH256 hash:
9449df7d50a4898a5f6e2328b6a923a6b86dfa6c7bf2aca6aa9fdfc3e4700290
MD5 hash:
e89fafe323dcbd85d9997ec9d8215249
SHA1 hash:
a7907928d524aea3835dfe1ba019ddd77d4e395f
Link:
https://www.unpac.me/results/90c4a5f2-82fe-45b0-91f4-02426c11756f/
SH256 hash:
890032906916c99d8e347c7f9a4760ac588b83f1c907148d1e1f10a687100a73
MD5 hash:
2464b785d89d29e62d170da7e4b5bb31
SHA1 hash:
3fe857be896c5f47d1b036b9766c778fedc8cee9
Link:
https://www.unpac.me/results/90c4a5f2-82fe-45b0-91f4-02426c11756f/
SH256 hash:
432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144
MD5 hash:
1bc1e23e2e7712b81031b97a96356732
SHA1 hash:
0e50bd3079fff410751886dc88ef2e7aec5ca53e
Link:
https://www.unpac.me/results/90c4a5f2-82fe-45b0-91f4-02426c11756f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168266/

Comments