MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3
SHA3-384 hash:	df4c0dee6c40ad0bd34a80ab2fed07348e2e10a0bf51ff8793b4f9c9f7d70fca057097395f2637e971bd6141a47aceb8
SHA1 hash:	68891248e4bbb7961bfc4ff04592e073a8f2e58d
MD5 hash:	0ed53abfced617c589f9557a08d09bec
humanhash:	may-papa-helium-bakerloo
File name:	PO55004500211.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	362'332 bytes
First seen:	2021-07-10 05:57:46 UTC
Last seen:	2021-07-10 06:49:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep	3072:GDxaVzwmg4CSW8JSuEUe1QJbBp06jGUrYdShT1LW3FX62Of4Lo9rI/i58Tk7WbPT:YMm4CCPB+6peQn2YCoSTOHdP5DCh+2
Threatray	5'909 similar samples on MalwareBazaar
TLSH	T1BD74E0157254C06BC6D537B00F31C6B65BA1AD6E58609A1B33F8BF4F3AFD2839906722
Reporter	cocaman
Tags:	exe FormBook INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO55004500211.exe

Verdict:

Malicious activity

Analysis date:

2021-07-10 05:59:11 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/1da35aeb-fc83-4aea-89b0-76a88a6b554a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/170761/

Detection(s):

Sanesecurity.Rogue.0hr.20210709-1405.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f087c53-22bb-44b4-bd00-2c6ed5b0e313

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/814275

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-09 18:11:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i4moczlpd5yfybrhale5n4tkb7cn4ct75q6o2dqlkikdf5idpprq._file

Verdict:

malicious

Label(s):

formbook

Formbook

54f0db8ab08387aa0cee79b3ab7efeb0056d1aa9c46e36093db156ffa7fd29dc

Formbook

788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d

Formbook

7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a

Formbook

80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98

Formbook

8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4

Formbook

8e36abaf554e37c743a7874d53dcc57751e88be673ac98c5abaa873984cb6e23

Formbook

9001d75f0d0b09af013fc65992e74d4b568d166ca5837f1bf52316173b3f30d2

Formbook

+ 5'899 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210710-dtyg7qx4we/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

117245140eb8dad63df37a89afa903bf9f5bbcb227cc81a93cdf6024fae47d77

MD5 hash:

43e4323584cdfd21b099b340e8ff94a6

SHA1 hash:

f97d3bbe5e0c22d6049ac6c724612defb0a7147c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/90ce304a-407f-480f-bbf8-03c3cb5ba2c0/

Parent samples :

4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564

SH256 hash:

dfdf1a07d7a480d84eb334e0fb7549decbee5951155997f6e0e583800c9bad0f

MD5 hash:

a374bf48a408727d5c3b2e82f014c145

SHA1 hash:

3c22c5e4570a13c17e6153424de82349f6c61cec

Link:

https://www.unpac.me/results/90ce304a-407f-480f-bbf8-03c3cb5ba2c0/

SH256 hash:

a549846ca3e4e793d4a5fe3acbae59790e1a259fb3583274cf26521492e8509c

MD5 hash:

627c7943a1634ca3ab7f6ed0d5524da5

SHA1 hash:

d47452f97a79208dc6136570e4bb8fb7e3f1d72b

Link:

https://www.unpac.me/results/90ce304a-407f-480f-bbf8-03c3cb5ba2c0/

SH256 hash:

4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3

MD5 hash:

0ed53abfced617c589f9557a08d09bec

SHA1 hash:

68891248e4bbb7961bfc4ff04592e073a8f2e58d

Link:

https://www.unpac.me/results/90ce304a-407f-480f-bbf8-03c3cb5ba2c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c74be4460e00af962d51e8bc1c9f0f57df1669b558993769afd621af94fc9ef6

Formbook

exe 4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3

(this sample)

Delivery method

Other

Dropped by

SHA256 c74be4460e00af962d51e8bc1c9f0f57df1669b558993769afd621af94fc9ef6

Cape

https://www.capesandbox.com/analysis/170761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample