MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89
SHA3-384 hash: 70ca953c8da487f57880de422f114cc928b3e7e71034059606458dff3d16eb32956504099e4d9fe009adc1201ea37cfd
SHA1 hash: 60097ca2b53ec203abc7293aaaf7e8cb684793a2
MD5 hash: 21def4194a0dd2f6d0cd3a3645a642cb
humanhash: autumn-mango-magnesium-solar
File name:MITT_Order_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:525'312 bytes
First seen:2022-04-14 06:16:14 UTC
Last seen:2022-04-14 06:53:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:C8SfINUa4ZIdD0futTJX//gQBwHmhm3+:WFafDR3fU+
Threatray 14'981 similar samples on MalwareBazaar
TLSH T11CB4125826ED4F6BD47E47FCA4E1440487F0E5266923E78A3E9870EDE773B928422347
File icon (PE):PE icon
dhash icon c030d4c6c6f430c0 (5 x Formbook, 3 x Loki, 2 x RemcosRAT)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
MITT_Order_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-14 06:47:36 UTC
Tags:
formbook trojan stealer phishing
Link:
https://app.any.run/tasks/1a454037-7203-44b1-a0fa-3a59613807d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263603/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30311.271.8163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6257bc62ffe27d5119cae359/reports/9cf5b8e9-bdcf-4813-a748-74b8d727a455/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0313fc4a-4944-4bc4-ab83-d9b9903b4132
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976609
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609096 Sample: MITT_Order_pdf.exe Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 8 other signatures 2->39 10 MITT_Order_pdf.exe 3 2->10         started        process3 file4 29 C:\Users\user\...\MITT_Order_pdf.exe.log, ASCII 10->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 14 MITT_Order_pdf.exe 10->14         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 14->53 55 Maps a DLL or memory area into another process 14->55 57 Sample uses process hollowing technique 14->57 59 Queues an APC in another process (thread injection) 14->59 17 explorer.exe 14->17 injected process8 signatures9 31 Uses ipconfig to lookup or modify the Windows network settings 17->31 20 ipconfig.exe 17->20         started        process10 signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 153 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 04:17:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iutmkbetd7m7t6ojnl4s6zxfrxghxyy2rputbheoww22z4wllseq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68
Formbook
42c22b1ceff07541d20717e8b9fea63a1418dc92917303cdcf48cce246a7d29f
Formbook
49f94b3fbaf875cb2c223cdee59cfdedf4b2b937fba4a473cf2e4f767b44cb4c
Formbook
502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2
Formbook
67435ee3c6fd3d272c004256f34020df37fb93fd33c18720053b9d2c1bb19b67
Formbook
8e2fa281cc72512de1fc53eb27a9c04a524ce87c3cdf5932931ea3dc463a459a
Formbook
9c6a6119bc7008246685cb9960fe21969a8bfbbea6659e6e0afa329358c60a50
Formbook
c232cf286c8156708491756db96442ab995cdaaea58875a7c63e3e496b30d0cf
Formbook
f2b5798f32f9221aebb349c66a631b0f2bd9a10345bc053c3fb945ee3b4bdbde
Formbook
f725b6a2466a6f4c7084eeab5994e30b8ef836633c1a84d85c1899deb1808d3c
Formbook
+ 14'971 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:tumb loader rat
Link:
https://tria.ge/reports/220414-g12ksahdf3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d3c5b45af4728c544bbda0a159e5ea737e5a68352de4805921b687e09246ab61
MD5 hash:
23c6fc28d3bd7cf344337182a8d4150a
SHA1 hash:
b6be993b2bd725ec5946f5790682b8ef2000c97a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d4981110-a20e-4eb4-bbfa-9502399f0d28/
Parent samples :
16d108f51f45ce601a5b10165629fb8fd6893508e03a2288374c2741a9474e11
b7f5857586780b4dba775eb6d75c03ee627405bbedf03c7e1966ec8abb3f2c6c
4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89
SH256 hash:
d760c599b23c1069f9e5727c15f4e4b81799203d84d56e7fc3ae61b173846bda
MD5 hash:
e4178adb9dd0d949c39b7b3b930ea46c
SHA1 hash:
4635a17a0a516de909b3028fc630ac7946c160b7
Link:
https://www.unpac.me/results/d4981110-a20e-4eb4-bbfa-9502399f0d28/
SH256 hash:
c14ea4bdd27d729f044bf4e83e0bdb1e1cfcc92c987036fdbc439283c1022211
MD5 hash:
0587f7540c5eefae2bb042a11ff155d5
SHA1 hash:
24ca734b95fe93790c053f748791de56e66ebc1e
Link:
https://www.unpac.me/results/d4981110-a20e-4eb4-bbfa-9502399f0d28/
SH256 hash:
e6536020791abbaf3e61d27f224f905eceb7d711f55834ce9577c64323d46f82
MD5 hash:
8f77c3b86dc9a33fa972a22b203931da
SHA1 hash:
0e54e77e34ab518171fdcb8c24a7c228f3bbb0b4
Link:
https://www.unpac.me/results/d4981110-a20e-4eb4-bbfa-9502399f0d28/
SH256 hash:
4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89
MD5 hash:
21def4194a0dd2f6d0cd3a3645a642cb
SHA1 hash:
60097ca2b53ec203abc7293aaaf7e8cb684793a2
Link:
https://www.unpac.me/results/d4981110-a20e-4eb4-bbfa-9502399f0d28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925

Formbook

Executable exe 4526c504931fd9f9f9c96af92f66e58dcc7be31a8be9309c8eb5b5acf2cb5c89

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 da33bf8e15a2943bc79bcc1ac7624ddb3ead14be2c2d458b16973fbcaa625925
Cape
Cape
https://www.capesandbox.com/analysis/263603/

Comments