MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4
SHA3-384 hash: 83f47225ba1e4475431dd4838f34c41ac86cd30b6313755f257101d57c94e9a9cb7982b9cb7a14a56b7aa0098d3680e3
SHA1 hash: 808855d569d26b729e2b6c6db15c11a8d7c7e992
MD5 hash: 2b8fa1fb91177e751ccfd2022d20e1be
humanhash: fish-oklahoma-avocado-uranus
File name:SecuriteInfo.com.Win32.PWSX-gen.23598.30908
Download: download sample
Signature Formbook
Create hunting rule
File size:594'944 bytes
First seen:2023-11-20 11:17:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:tvCeNBz93IMDikLiN7ffWu1Ufg+3V20ImocOSGUdzqX:tqe7+MDiFN7fuu+HwJNu
Threatray 164 similar samples on MalwareBazaar
TLSH T154C423499ED407B4DA3C47FD4A5BA210475D9A6B2AECC2FD1DD0618211F1B230DB37AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459296/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.23598.30908.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf0dea1a-fff7-401a-a292-9cd53cc24806
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1345121
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 09:00:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iod32o7j2ygdpsaa5i6qsspjcvlm7iu6nhjvusqyyzl7ihfz6tca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
360937271a1d61e89c3be7d77f79c686292a3feff0a4b1f53d1999b51c0037fa
Formbook
3f0f2b7e3062679b5ba9559637eee1d3ab15dea790fbf3c85b69fcccb3edc8bf
Formbook
4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4
Formbook
5f54c03b146b95b4f20382eca41ca67a2ba11b5d3ee0d7a14f93ab8cc1f68d50
Formbook
aa7afebfd032006687eddefc5578bbc1933f1477aeaef5a17427677a4de08d95
Formbook
b3a50f27f037fc524303604335c490550752f7eb426553a73b12b8ada3d2f892
Formbook
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
Formbook
b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
Formbook
+ 154 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231120-nd9q7sge7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
2fb4afc1c2e767c901d6d47297a908d46fb05bb86ec1695e8148612a8f828d13
MD5 hash:
7f80c877eb7f1bb7ff9c286ff91ef66f
SHA1 hash:
1df9aba12bd4bd3b3e53e729ee4a0fad6822de7f
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
SH256 hash:
abcdfd88809fde2b8fb86c4b7f50894ff01157d45abdf9840a3dc3adc9a5c6b8
MD5 hash:
848c3537038c9ed908dd11f2860a8ca1
SHA1 hash:
08fc35e67c9f52a008e3f9f452674f59bd2a82d8
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
SH256 hash:
5d1168df5f3dba04e8a4308221a6ea8f2a5dbc3b0c52f2e4e931dcd0d4dffcd9
MD5 hash:
6707c94d86ce95aedcfe67f2e6b9ec7d
SHA1 hash:
64d97577b2cf0b9cadc7ea785742d022f2e98f72
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
SH256 hash:
81a9e5e4f2481170ea07fbe19c19308d55453dbe893e283d74f9d34768067068
MD5 hash:
f82eaca89ad8b7c448dca6411ff2a8fa
SHA1 hash:
411af9e95ac5b764865f8f9a032458f9a7cc2501
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
SH256 hash:
4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4
MD5 hash:
2b8fa1fb91177e751ccfd2022d20e1be
SHA1 hash:
808855d569d26b729e2b6c6db15c11a8d7c7e992
Link:
https://www.unpac.me/results/cd12e413-5dd2-4e49-b67e-57e0cfd9547e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4387bd3be9d60c37c800ea3d0949e91556cfa29e69d35a4a18c657f41cb9f4c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459296/

Comments