MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
SHA3-384 hash: 62969addc0c67dafee5ec8886f6e153f3e8e76faae5ac30b3aaa40fc325ecec89775f2f8fb60c6939e49fbc561651562
SHA1 hash: 8e300c69acd17e35c31b87310fe1c5da7f3f3437
MD5 hash: d32b55acf96361e5c9c8da94c1b8a102
humanhash: papa-uncle-colorado-dakota
File name:SecuriteInfo.com.Suspicious.Win32.Save.a.30627.31065
Download: download sample
Signature Formbook
Create hunting rule
File size:503'296 bytes
First seen:2021-09-01 08:39:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Gr1oGQ/IsfJMTIgR5uxQkIVmVjW4tO7G:8kfJyIg3pV
Threatray 8'720 similar samples on MalwareBazaar
TLSH T137B4E08C7654B69FC51BC976DA982C20EA60B57B530BE303A44356EDAD0D69BCF021F3
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents_2670767360.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-01 06:05:26 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/477f65e7-bff5-4516-895c-17dbb5f17782

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184412/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.30627.31065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39d8af3b-9b99-493f-b980-262b23cbb6fb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843197
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 07:28:54 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ae1df4d50a7ed640973980699737b85e8947baef0087c511b4b1ebf8bdc22ba
Formbook
12de2f015642b7430fdf5e76d186dc2c38161f4e2238e84d8dd9e4125d3bceec
Formbook
22354e48f65fe92be2c9b5d271376568b1ad918a40d0f7eb03fc99823ffdae33
Formbook
276d33f672db408f43ce953f0c1c42a46af0b50d8c24cac95d86fef7787246bd
Formbook
33a9702e83888498799c0144e3a3ac06e095aa452ce066a02a3860dcd90d6bb8
Formbook
3638ac885ef63f3b5bfadd95b0f43c34c3854e2483adde873b3d5fca7a831632
Formbook
3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
Formbook
6ce6f6c16310e90a3d624750f1d7146aa4d2e8baa04d409133869199d4a5d23a
Formbook
87ad57ffa31e9b3481663bd81249ec1e563dc2931bb4bb2045b06ea7917f1593
Formbook
fad8f6a07c20b0594611901f079ab4ad87c3c0a3ff5e776eee1f86b4b56abd4c
Formbook
+ 8'710 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:imi7 loader rat
Link:
https://tria.ge/reports/210901-6kzdltr4zx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.southerngiggle.com/imi7/
Unpacked files
SH256 hash:
ea88e40b750a9f44289afb18b9096c14c1a0d81ae92bd236fe3fd15bf9f8dd27
MD5 hash:
8110d942a1afd5a03fb68ef51e9bce54
SHA1 hash:
d22bf05fd3f760e6f65d5ab239adf71c25f0be09
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/eced6949-ecc8-44e6-bb85-85dad4277b8f/
Parent samples :
3c30562fe4d02debdc7ff0d3a101e4807010b779166bbafd25ae0fd068b7255a
12de2f015642b7430fdf5e76d186dc2c38161f4e2238e84d8dd9e4125d3bceec
4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
b83afeb8225d897dcac8a075bfda8659a64ac5b6c7db788e6913bf7e168caacf
bf9f97f369f730dbe091c7a5304ae2503f61eb0f226bfc763e0681cf07035618
ca9d13706dad307a2021d1fa1683e46b5b9670b92ad0ee5e474cbea0620d6299
01459f26c9c160284fbb5d73fe3e2c05634295c07c78b9667107950526af179c
4bd5c83d0ec09eb7019537466d0c3c1469986dce8c358041f65be1a60a6b6fe4
SH256 hash:
298a31993853244d8ffa7f458aa904c3fc035e1e3b0505f3085d3b449e807c3b
MD5 hash:
946ca755e0e50b9c7644b1fb0a1f130b
SHA1 hash:
99baefb0480f4c02bdfcb47ba8062b18a096a556
Link:
https://www.unpac.me/results/eced6949-ecc8-44e6-bb85-85dad4277b8f/
SH256 hash:
7a9e35a547c32fb964db35cb05717b041bf2e3c2b8573b8c2ae018bd9dd4dd3d
MD5 hash:
89c33602a104b31ce611a26be87fbc84
SHA1 hash:
677343562faa80429b6ac7ef9481227ebd39b4e8
Link:
https://www.unpac.me/results/eced6949-ecc8-44e6-bb85-85dad4277b8f/
SH256 hash:
7c3edb5f68e646d465f01986fad2adfb4fedf7f4b83235258ec36a66c275dcbb
MD5 hash:
117951f24c69a2f1dab7f720a96e0d61
SHA1 hash:
6345f27437a6395bb792b56b38cd5f587e552d90
Link:
https://www.unpac.me/results/eced6949-ecc8-44e6-bb85-85dad4277b8f/
SH256 hash:
4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0
MD5 hash:
d32b55acf96361e5c9c8da94c1b8a102
SHA1 hash:
8e300c69acd17e35c31b87310fe1c5da7f3f3437
Link:
https://www.unpac.me/results/eced6949-ecc8-44e6-bb85-85dad4277b8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4474153b57e54b4c94dc0c4e063dde0a7f296bc8f20a7a5d41d99d91c4239cc0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/184412/
  
URLhaus
https://urlhaus.abuse.ch/url/1582640/
  
Delivery method
Distributed via web download

Comments