MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab
SHA3-384 hash: e0b53ceec3f2823edbf7b50ea4101303d5eabef3f636820e35bd30f06edb62ee7f82149e8d622bebefa44e49b0c2a35e
SHA1 hash: acf9748a3056ae157741c7431408b72e32d98c35
MD5 hash: b8185fd04dbe1c2ef2ec8fbabbb18632
humanhash: california-golf-red-october
File name:Purchase Order#44231.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'344 bytes
First seen:2024-04-08 10:22:16 UTC
Last seen:2024-04-08 11:35:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:CB1oVeonVJVwPOm13aoanwlDfokYYHzDhlVM8G25LRAFtx8oZ886Tgpm6vv9QkR:go5nWra4lDfoklBlVMKRAnHITgQ6vvF
Threatray 1'306 similar samples on MalwareBazaar
TLSH T100E42353FBFC2A87D6BDAEF25939852277B697360030C6D82DCD20DC61C9B50DA51A0B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f0ccb26569b2d4f0 (6 x AgentTesla, 5 x Formbook, 2 x RemcosRAT)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab.exe
Verdict:
Malicious activity
Analysis date:
2024-04-08 10:24:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d39356df-0832-41e1-82b8-5ea292212c9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/6613c5886e53ce7981ea0792/reports/496c8433-538a-42d4-a1cd-112ff11598a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/636f2b86-b23f-4ae4-94cc-987e9271b8cb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1422187
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1422187 Sample: Purchase Order#44231.exe Startdate: 08/04/2024 Architecture: WINDOWS Score: 100 33 www.yoursweets.online 2->33 35 www.viewhird.com 2->35 37 18 other IPs or domains 2->37 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 11 other signatures 2->47 11 Purchase Order#44231.exe 3 2->11         started        signatures3 process4 process5 13 Purchase Order#44231.exe 11->13         started        signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 52 1 13->16 injected process7 dnsIp8 27 elcaporalburley.com 74.220.215.87, 49744, 80 UNIFIEDLAYER-AS-1US United States 16->27 29 www.skyhut.io 92.53.96.150, 49742, 80 TIMEWEB-ASRU Russian Federation 16->29 31 6 other IPs or domains 16->31 39 System process connects to network (likely due to code injection or exploit) 16->39 20 wscript.exe 16->20         started        signatures9 process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-04-08 01:53:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iu3jegfyru2onpbrmqyyeugdtq45xxu3fjallqgy3xtkhk7ydgvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a88a2e3cd7e300b0d55966ff1b19c3643739dd1bdeaada05f9e7f8841557202
Formbook
0c0001dfab0dc6cf87fc05e6752207cb13627722317885249e8840d335906d1a
Formbook
12fb27d7a59c168a82317baa0b127b8a826cc98dd108fc37fd022d8a842b06bc
Formbook
47d5dfe5d59cd87f1d41105123e02fa661a17e7e0623125c51956165113f8f4e
Formbook
5e89ab886cf3b566f09eae1c670f3c25748d9ac78bc04d8b34ed71300ee53dc6
Formbook
6c57771cda82415d8e0f6492203eff52a3fb36ea966fad9fc4e7fb4d0de7e378
Formbook
bcf3670fe7a029d453f1887f16b97b8577235980909aa282d410cd927fb53a7f
Formbook
bddecf330d5b3d2c09db0b26dc6367e2e71a2e0317cc65610cd1cca8809fd0e2
Formbook
ca1d2592c9726d9e3a6a57c55ac57b40d9aa3bc501393a40962afd5bd4946433
Formbook
e0063d0d5bebd7b349f970ec640d1e14ccba6e766999bfd630ac52e791e2dc65
Formbook
+ 1'296 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:vr01 rat spyware stealer trojan
Link:
https://tria.ge/reports/240408-mesnmsab6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
df2a9d055756f5ea356bfbfb48f9231551c3579232835cd5a0ff0b77ec2e9a7b
MD5 hash:
acab252ab1618c93c2990fe069c739b3
SHA1 hash:
1f8ccc90735799f312c1729e6a4e86415b6305b7
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/924a56a0-084a-4cd2-86d2-9ee1bd91bc67/
Parent samples :
8bac70d4338336e952c8d8122233b325b1a2ed7d64c74d96202cc8172c7bf824
71593432fb7a1d31d7f9f31c580aeb41189678fb7f63ff23e0c2b1fff0aec381
8926417110b368be42eddfd31b1d422c2e1d41720df7c4cfa215ba4400ca63c6
12fb27d7a59c168a82317baa0b127b8a826cc98dd108fc37fd022d8a842b06bc
ca1d2592c9726d9e3a6a57c55ac57b40d9aa3bc501393a40962afd5bd4946433
45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab
4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093
SH256 hash:
5d12792747535225c2f041b46e03900b8d150024c44a2ef74d14c022e62b7adf
MD5 hash:
cc4a85a9823e1d5455d02050dab82933
SHA1 hash:
89311c5edcd807cbf5a5383657b4d58dac9d7dd4
Link:
https://www.unpac.me/results/924a56a0-084a-4cd2-86d2-9ee1bd91bc67/
SH256 hash:
14641f03051d346aa3a24be14851261baa2ee6b1cff524ddca433fcc71d9542d
MD5 hash:
6661bfd44985279631496543484323b1
SHA1 hash:
5b3452b4c01b676f5ab2d4586819bd687456a34e
Link:
https://www.unpac.me/results/924a56a0-084a-4cd2-86d2-9ee1bd91bc67/
SH256 hash:
1bf5c841339260c5f1a634a67c89d06210fac99b3dde16f80c9adcab4db3ed6c
MD5 hash:
72e6762118c3d83811ec429e66b466e2
SHA1 hash:
395b39ff97a5f97ce14f730726c5745d36b5c2ba
Link:
https://www.unpac.me/results/924a56a0-084a-4cd2-86d2-9ee1bd91bc67/
SH256 hash:
45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab
MD5 hash:
b8185fd04dbe1c2ef2ec8fbabbb18632
SHA1 hash:
acf9748a3056ae157741c7431408b72e32d98c35
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/924a56a0-084a-4cd2-86d2-9ee1bd91bc67/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45369218b88d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 45369218b88d34e6bc3164318250c39c39dbde9b2a40b5c0d8dde6a3abf819ab

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments