MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
SHA3-384 hash: a51728131bbd24e645d445f356217290f2691ed2b3584527a5b9009c18e2436d9990b55a00910ef2f20b9852d6168792
SHA1 hash: 6a70d490ff5494bc5270d1c48608f76a71ebf684
MD5 hash: b85f4bf7ee5af2a32627ec48f5163bab
humanhash: pizza-winter-massachusetts-spring
File name:Urgent Quotation_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:782'336 bytes
First seen:2024-06-24 18:47:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:b8L+hEEsb9hZll0SgU9wTFL/qr76YLNnCDTRrZu9Kmhn/5ZHz85A8pktS2ZVG//M:FsbTZj0Sb90ZWLNn6G9VxZHz+pk02ZM
TLSH T1B8F41292B1548DA6CC7C09B0746E50568772BDA1F8A0D79F3EDA76CE2DF37522102A0F
TrID 53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon fefefff9d3dfc0c0 (5 x AgentTesla, 1 x RemcosRAT, 1 x AsyncRAT)
Reporter NDA0E
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e.exe
Verdict:
Malicious activity
Analysis date:
2024-06-24 18:49:47 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/0397e0c4-b3c1-4ba1-8490-e6b38868e676

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.39163.881.10422.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6679bf638bee61523c5d1f38win7simulatehigh_evasion
Tags:
Stealth Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6679bf6821581a92819eff1b/reports/c2588fc7-7ce7-442f-b47b-c31459b09019/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ba40d41-387e-4b2e-8008-4ff407b1baf7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1461950
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461950 Sample: Urgent Quotation_pdf.exe Startdate: 24/06/2024 Architecture: WINDOWS Score: 100 35 www.tufftiff.xyz 2->35 37 www.xn--gotopia-bya.com 2->37 39 15 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 55 8 other signatures 2->55 10 Urgent Quotation_pdf.exe 3 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\...\Urgent Quotation_pdf.exe.log, ASCII 10->33 dropped 67 Injects a PE file into a foreign processes 10->67 14 Urgent Quotation_pdf.exe 10->14         started        17 Urgent Quotation_pdf.exe 10->17         started        19 Urgent Quotation_pdf.exe 10->19         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 21 eOtOYHsLeGUMlLqVNshEzBGiA.exe 14->21 injected process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 21->57 24 chkntfs.exe 13 21->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 eOtOYHsLeGUMlLqVNshEzBGiA.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.ridcoredry.live 91.195.240.123, 49752, 49753, 49754 SEDO-ASDE Germany 27->41 43 www.vivaepicmarbella.com 46.30.215.51, 49728, 49729, 49730 ONECOMDK Denmark 27->43 45 11 other IPs or domains 27->45 69 Found direct / indirect Syscall (likely to bypass EDR) 27->69 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-21 07:11:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iytpl3q2uvyqkjdci3prwkvexxwkgwhfljsq4rjkyuu3lq466iha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240624-xfrg3sxdma/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f9af0d76952cf05e0cab25af1f5330d1e6f2357f1a812cdb296fa0ee877b46f0
MD5 hash:
e305a6806c2cdc9a7d38bc50e4feb79a
SHA1 hash:
91e0f10f8063f57a7a2a0cbc64dcf8901e8f47d8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
Parent samples :
4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
SH256 hash:
37a1230743db4b846cf4a661fba9120f9fd0eac14c0327a660320e9bca7c672f
MD5 hash:
408a887166d0c77cfac798a5dc491d59
SHA1 hash:
6b5ea8bcf16e25efeb8e1408f30a3159636360f3
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
e5ebcf0e9183bcbed11c138415e928763c3e6abd630d2e3eb09db780de393c31
MD5 hash:
06e87a7a1cd544bfbc2c9fb419d2ef1b
SHA1 hash:
d10fed8f44f707ef3334d7b4c059da89c2ab912d
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
38e4d46721467657ae26bd49abd1142e394bdedcd858de6c898dc3d98f27ac4e
MD5 hash:
bed37cc14792c6a2d9c57d4f672b9a50
SHA1 hash:
252ff5cd27103f48d5f06de98c4ab8276802bcf3
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
Parent samples :
fefe641b6760cae3c05d6201f81f695bd15acc2937c2c060f7217975ea621dcb
eaa2120eb5d6104aa77fb5da019934bef8e84fa65606993766007712ccd0c521
7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
09e3e78eca5cf1f5474e8998e3f87f9268f127f77bf306443855a7ae5244e15c
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
ace149a232afd3aa170b48d79a32502f7b3ebfb1a82de8b4fa362ae2652859b2
4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
SH256 hash:
9a577d31e2c9a641f75ddaed2b0c4009e283d51c005e3fbbca81786bff761f21
MD5 hash:
ed61a5aa0f4d1ce89382122fd40086cb
SHA1 hash:
12d91d13eec29f2fd66fa4884d26798ffb2e1b34
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
16026e6e502ab315929be95d5c9649c3f3a8f6cd344a6d7669c38a5910037118
MD5 hash:
2c78bf8868210b571196fd90c4604cfb
SHA1 hash:
e0fde3b30ef59ef145b1ee9132479c6293893933
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
91f92dee005d54b7b71d8b29f0fea6c6b0fcc8ec499b63280aeba15e5ebf54d8
MD5 hash:
0be3db4a7a8cdd7d4fe8be954002a3ff
SHA1 hash:
db9ea909b307e78a883e65ebd5136702c2e78be4
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
0501d536c1607843c6c9ebef7f11c149a77a567d727ea6ca7b588da0dfc8cd38
MD5 hash:
e2135807a3917d8f3fb65ebeef5b1f3d
SHA1 hash:
a4f5ad0a35b83937850ca5ab416aa00443784b96
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
d37e2cb0b934fed50720dee905a0d235c08019432aaa2caa49f1e5175c3ba590
MD5 hash:
e509354e0731f16aed7fc757d06a12fd
SHA1 hash:
972d7618ebe43c730b8362a6ed0baea22280eb2e
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
c6b162f11018f7b02d8bebeb4467723a7d5ae130dcdb49b0e05a8de53611ebdf
MD5 hash:
42d936595081db454ec21e5091adf129
SHA1 hash:
695fe8e2f70ed60dc8635c84b8f68baa54def572
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
e2df41d4e1443c973a0cf8829cd8b61c86980241bea4640ec8d1693ab7dee83c
MD5 hash:
77d16cd9b2c3fa7206ad157dc6f83633
SHA1 hash:
39ba7bfd78610907f259b856fde8c0825545e696
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
SH256 hash:
4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e
MD5 hash:
b85f4bf7ee5af2a32627ec48f5163bab
SHA1 hash:
6a70d490ff5494bc5270d1c48608f76a71ebf684
Link:
https://www.unpac.me/results/f11a86b9-0041-4cc1-880f-8d28f44a5742/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4626f5ee1aa5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4626f5ee1aa57105246246df1b2aa4bdeca358e55a650e452ac529b5c39ef20e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments