MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
SHA3-384 hash: 012702059b6a7c4adfdec58971c85a65888e0b232363d4181da3ac10531809cc712d97100c207e4451290112e0c7fb34
SHA1 hash: fc38d173b4f2421cbdf0547f498bf2658c09a6f3
MD5 hash: 8e5764617194a54afd7c5cc130fbeff8
humanhash: mars-neptune-march-stairway
File name:SecuriteInfo.com.Trojan.DownLoader27.59888.18732.548
Download: download sample
Signature Formbook
Create hunting rule
File size:706'048 bytes
First seen:2022-06-21 15:36:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:7SPa/sOOa7dC8eJ7nALT4BU4x7vQ2m9E8F2lGKMzI7r/D4CpQ5rM3NJsGVBMs+yd:mPqlOaxRyDB9x7vQ2GldKMzIP74Chasy
Threatray 17'119 similar samples on MalwareBazaar
TLSH T16AE401F19FF4BC6AD12560B274A1A07C37E34E1DDC51AA35CADBF04A34A66C520E2E17
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282031/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader27.59888.18732.548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62b1e5e108903778452d7894/reports/bbed2dfc-e4aa-4988-8a52-f1c855aa0ffa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4edce3a-8a50-455a-b3c9-510cc11458fd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017259
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 13:22:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqj2fzxhpdg4lxmdtalkmljf42ajlprsliuag22f7blrmqc2fuma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
Formbook
391336702d03ff6b04f7d00b110949c35243f97dd4a393e36d539284f98f4257
Formbook
68461f9c1180025d2b1a97b218ccfd33623fadf5447cfe832f78c9cb816ca0c1
Formbook
8ecf3a66141bdd66b2ba8201bb1fedbbbde5c4e5710b99ba2e1d523ad49011a1
Formbook
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
Formbook
a013267b2dae410a6e166f9faaceebef0324d4b9036531856f10275f30ce41b8
Formbook
a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448
Formbook
cf6f665f23b44c9c347fc9d3fbb3f6b3ccf3ab82366959437213ad77346e757d
Formbook
+ 17'109 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nn40 loader rat
Link:
https://tria.ge/reports/220621-s1x35sfaej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
00a3c969c97659e92f898bd8a1fdbc6eb308cc3efaf8f15a2683b58de35ed144
MD5 hash:
595c4daca1443220982feb77f6dde82c
SHA1 hash:
05098e1b566478f0e526806904ba0bd3910f4443
Link:
https://www.unpac.me/results/0c88917b-24fc-423d-b55b-ca0c0094b8c2/
SH256 hash:
3f715d7a1de5e0117a2a4054f045de698743482f52ca3436bcfe7720b87d10de
MD5 hash:
c01d2fecf6af22293e2cf3bfcd389024
SHA1 hash:
571b61c56f1bb167e10da214052efe89f4f247fc
Link:
https://www.unpac.me/results/0c88917b-24fc-423d-b55b-ca0c0094b8c2/
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/0c88917b-24fc-423d-b55b-ca0c0094b8c2/
SH256 hash:
eb34d25f79cf69105cc87e8e8f902fce7bc2dc4c80d5c1dc510cf60b3859dfb3
MD5 hash:
f8fbac0b58d026c8dd80df878e2e7774
SHA1 hash:
69de8ce161c2fdd0d10aee01a20a1e3b2b51237c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0c88917b-24fc-423d-b55b-ca0c0094b8c2/
Parent samples :
9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
c9777cb78779de98104f1a01584f9df07e39b7ace7d5e6686d225e7261bd9447
0cfac9ebd9e0bb5a2f128f38b9879e4f103208c8559a68a18bb099fa2b8bf18e
1d9fc02237d06ae3ee5ea85ae14a05ab41ee99f03ac660e3f6360ac6864bf7fd
d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
d9953c25aba720427a7122609ba2ec3ed42861e9acd631dc5f2a0deb3d8508b5
SH256 hash:
4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18
MD5 hash:
8e5764617194a54afd7c5cc130fbeff8
SHA1 hash:
fc38d173b4f2421cbdf0547f498bf2658c09a6f3
Link:
https://www.unpac.me/results/0c88917b-24fc-423d-b55b-ca0c0094b8c2/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4413a2e6e778/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4413a2e6e778cdc5dd839816a62d25e68095be325a28036b45f85716405a2d18

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2246362/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/282031/

Comments