MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d
SHA3-384 hash: 36e3d4f7438173c9cb5ce825ad349810223002184b1ef89f9900088b583d5b2f7ea6ba3345ae7ab4b8e86464ac5c013d
SHA1 hash: c8f33f13f16c35fbb5dc7ead9fa09e9e93dd1f8b
MD5 hash: 20142c69d56ff0704c38f58bf8a48f0f
humanhash: magazine-four-freddie-quiet
File name:NEW PO 22102022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'020'928 bytes
First seen:2022-10-22 18:17:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:bLbJho2iN8fEunZnATyctSlc8ej6QPtmUHSYaIToxjfgVfTUP2ILXo10RcfU:bo1YZEycklcx2839oxTdLXVRW
Threatray 16'584 similar samples on MalwareBazaar
TLSH T138255AB626D05117E4193AB69083E1F326FBAE516041E2C364C75F6FBC852FB961338B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
NEW PO 22102022.exe
Verdict:
Malicious activity
Analysis date:
2022-10-22 18:19:49 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/de57d3da-372c-45c0-9db1-f92324740f1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322732/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/635433dd898b0652a4b960d9/reports/a73ac1b7-1132-4b94-b5d1-0456f3cf55c8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9901309-366d-4acf-a9d8-32ec16652e86
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095596
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728237 Sample: NEW PO 22102022.exe Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 9 other signatures 2->67 10 NEW PO 22102022.exe 7 2->10         started        14 Smjbnp.exe 5 2->14         started        process3 file4 45 C:\Users\user\AppData\Roaming\Smjbnp.exe, PE32 10->45 dropped 47 C:\Users\user\...\Smjbnp.exe:Zone.Identifier, ASCII 10->47 dropped 49 C:\Users\user\AppData\Local\...\tmp4956.tmp, XML 10->49 dropped 51 C:\Users\user\...51EW PO 22102022.exe.log, ASCII 10->51 dropped 75 Adds a directory exclusion to Windows Defender 10->75 77 Injects a PE file into a foreign processes 10->77 16 NEW PO 22102022.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        79 Multi AV Scanner detection for dropped file 14->79 81 Machine Learning detection for dropped file 14->81 83 Tries to detect virtualization through RDTSC time measurements 14->83 23 Smjbnp.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 16->53 55 Maps a DLL or memory area into another process 16->55 57 Sample uses process hollowing technique 16->57 59 Queues an APC in another process (thread injection) 16->59 27 explorer.exe 16->27 injected 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        34 conhost.exe 25->34         started        process8 signatures9 85 Uses ipconfig to lookup or modify the Windows network settings 27->85 36 svchost.exe 27->36         started        39 ipconfig.exe 27->39         started        process10 signatures11 69 Modifies the context of a thread in another process (thread injection) 36->69 71 Maps a DLL or memory area into another process 36->71 73 Tries to detect virtualization through RDTSC time measurements 36->73 41 cmd.exe 1 36->41         started        process12 process13 43 conhost.exe 41->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-22 03:54:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioftqrllkaz4ed7ptwo2fimie543lex3uicgqjbdcsquyaod2j6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
467fac1d1ceafe86337f429261f8d63e2cb280466c0f4c49ad79524b0237604b
Formbook
7845453819c89f24416bfa15744e3625fafb7544d5beb180f6fe02a4d639b227
Formbook
7f57baf941771509bb5f2b09a099e2b5a302c8892d5bdb65adcf47a8d4ecc64f
Formbook
9ce6edfb072d05faec9d72731fc1ed955348a0a86e44eb9511eb215045861845
Formbook
a9a61d46548276ace7d943faa87221d5a9d25147a2419b80833b8e673185f3d7
Formbook
d5b506a06cd81e98b0ac084d04cf2eeb448dac247c0fe6570f5986c4dffd9554
Formbook
f1d6dee5489870d7cc620521cce6009b2fc0d4cada1ec66a979ef53faf6c1fd9
Formbook
fc3b3317c4877d207407aad03ab5af9c0fbd4ea5e71353139eef0af9ab013c91
Formbook
+ 16'574 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:pf20 rat spyware stealer trojan
Link:
https://tria.ge/reports/221022-wxl39aecb9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98f5023d-de30-4794-8257-8865013415a0
Unpacked files
SH256 hash:
f38b041ae11863ab3146102075a85714bfd0a3a174eafd52ae12bf72230afd77
MD5 hash:
45954f99b4c66ac25ad840aec7f9dc49
SHA1 hash:
72d25564d93588cf1958728885d2bbcdcad8837f
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
Parent samples :
438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d
4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738
69c32e09bd27aaea6ed0b0b448e6332f18e67daa0ad5d7cbc74718f9b1236cf5
40616665c8e28905ea7bf8726ba31150b48038f68681de80681f6b644d3e0189
2a4334476109d2ef5b95fbc6156e284a4c7340ffad00def833b23a3488884ded
SH256 hash:
31416eb48b624f9bc0182ed3dde2f1b580ecd1f727e884687b8189772c5ef00c
MD5 hash:
e5f3c8240303416d2cbeb8796ebe92ec
SHA1 hash:
f5134b10a5a478545f77ce83b9f6d8d4654572f3
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
SH256 hash:
f65c6bfb61b7d1c13b4cd15cd4304f6df0a73607fb50dd75b05352bb21f94037
MD5 hash:
82f1e3b4121e012c03aff346e7637fa0
SHA1 hash:
7207d5189a07b7bdb4b5e38970e4fe3fd5c4b2ea
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
SH256 hash:
438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d
MD5 hash:
20142c69d56ff0704c38f58bf8a48f0f
SHA1 hash:
c8f33f13f16c35fbb5dc7ead9fa09e9e93dd1f8b
Link:
https://www.unpac.me/results/610d8c7d-273f-42af-a686-dcb4b7d4ad3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322732/

Comments