MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b
SHA3-384 hash: e8e75046b1696deedad6aed886a11134962fff33bdf5123117843ad3183c0dd8ee67d430e86cac59c97ba0d5ef36fbdc
SHA1 hash: 9d46081281d1dd4f080d5f0f7c5a78343fff760d
MD5 hash: a6131e5376fda93069da7f836440bea1
humanhash: cardinal-alabama-kentucky-purple
File name:a6131e5376fda93069da7f836440bea1
Download: download sample
Signature Formbook
Create hunting rule
File size:1'612'288 bytes
First seen:2022-01-07 09:44:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:wFPnYIyQpx7ZV3tjV4QpsKgEy7xfkzO690U3JrD:QhrjV4QpsKW+K69n3B
Threatray 12'158 similar samples on MalwareBazaar
TLSH T1BE751932FABB8982C19C5736D5AA141E83E0ED41A623D71B75ED23691CD3FA64D0360F
File icon (PE):PE icon
dhash icon 18808c9c8c869830 (9 x SnakeKeylogger, 2 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
po.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-07 07:02:41 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/c1f16614-5364-471c-8d6a-d47bbcb04855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217692/
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.BUW.genEldorado.24100.17294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Sending a UDP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d80ba31c0d769df9d536a7/reports/520b8abc-7673-4778-9d4f-3f4c6464f681/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c59f60f9-5611-4dc3-be6f-2a07037f2a43
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/916774
Signature
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549248 Sample: JlQ2XWL8Az Startdate: 07/01/2022 Architecture: WINDOWS Score: 60 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: Suspicious Encoded PowerShell Command Line 2->33 7 JlQ2XWL8Az.exe 2 2->7         started        process3 signatures4 35 Encrypted powershell cmdline option found 7->35 10 powershell.exe 9 7->10         started        13 powershell.exe 8 7->13         started        15 powershell.exe 17 7->15         started        17 2 other processes 7->17 process5 signatures6 37 Uses ipconfig to lookup or modify the Windows network settings 10->37 19 conhost.exe 10->19         started        21 ipconfig.exe 1 10->21         started        23 conhost.exe 13->23         started        25 ipconfig.exe 1 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        process7
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-07 07:38:58 UTC
AV detection:
4 of 43 (9.30%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
96f1c5c1d23be195f1020daf8b7e179d77d6cd0b24cdda659b3af07da82b169c
Formbook
ace8d85c2f02bd3d531cd8d609d23c6d35588ecce52f40a8d129b39a6b1d7723
Formbook
c26350de480859838a7d758ce891d049c78844695c6f7e33f9ea2fecc4b4a4a9
Formbook
db31c01119f54e596eccec7e9d909d3344f42e82db94f348cdb0ace3d8ba9bab
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
Formbook
+ 12'148 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oh75 rat spyware stealer trojan
Link:
https://tria.ge/reports/220107-lq333scecr/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b
MD5 hash:
a6131e5376fda93069da7f836440bea1
SHA1 hash:
9d46081281d1dd4f080d5f0f7c5a78343fff760d
Link:
https://www.unpac.me/results/f716e19e-7e0b-40ce-95e5-0617532488a5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/43be40087324/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217692/
  
URLhaus
https://urlhaus.abuse.ch/url/1954948/

Comments


Avatar
zbet commented on 2022-01-07 09:44:27 UTC

url : hxxp://18.209.1.250/22/Yvust.exe