MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f
SHA3-384 hash:	8b2b182325cf7d4fe38c50e36a5f833b3a6f2e4d28abc2fa69acea91fb0f20e9ffbc28b54ba64761abc177933de430a9
SHA1 hash:	dab9c055ec8b649dbaded7edcef7c581a93a8a10
MD5 hash:	3d4d0e9849037a20eddfec5ca7f109cd
humanhash:	pasta-sixteen-utah-california
File name:	4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f
Download:	download sample
Signature	Formbook Create hunting rule
File size:	989'184 bytes
First seen:	2022-09-07 11:33:04 UTC
Last seen:	2022-09-07 12:46:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:hKGHZPEUDp3qowBZ6HMKp+1M7C7rn/TIKL56j/Tf+bBb7GymX7j3f4eAwRXIbUDD:hK6Mke7jbIKL5YMBbiyeMe9IbUDHDla
TLSH	T10425AE17AFA47608D4F75BB9DC6B686183F23809717EE3792E905C9B2DFA301D40162B
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c6ccc84ec8cc8ad8 (10 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f

Verdict:

Malicious activity

Analysis date:

2022-09-07 11:35:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ed741e34-439e-477a-b2ba-20ed627a7ee8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308468/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1429.17363.9915.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

explorer.exe packed

Link:

https://www.filescan.io/uploads/631881eea90642bcbbe96979/reports/fc9becc5-2c27-4fe1-99cd-1d97830233b0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26faab8e-afa4-499c-b18f-bd29477ce34c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1066321

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-09-04 04:11:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 40 (67.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jaslqbt34zakfv6m5e2bbzttrlazkhm3j47xsms2uidh7avm3zxq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220907-npfmhahbek/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

bc0458809367c28e8cd74271f89238419e4ed2e0614ffa45cff185fae666cfb5

MD5 hash:

c2d80f0b090a11bddd0e50cf52692bee

SHA1 hash:

807e042c344a08ff4f986e1433452ede35c9cd72

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

Parent samples :

27815dfd2b59d2e4e17362c000c326001dcd5a002349e48404b8d04a06e3bc18
bc314f342bf9eca2557cb138ae547bb19c8bb3b86899000e0631dc61d247a571
823668b847ae47d3210faeb01e11b10a81b2e6d84b0d47a34484fb6be8dfc67d
4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f

SH256 hash:

5ec68cdfe315327ec47189d9eb09cdf393221b9a5cd00aa2154f62ab24a29951

MD5 hash:

4c2b3cf43912ad6c0695db46f8e89e19

SHA1 hash:

af3e1cba05110eef4c086b14b52482915eaa5995

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

SH256 hash:

642d5b8aa52ca35d8386a5b4302aa503d330753426dd950e6c2a47efdbb4b7e2

MD5 hash:

2e85fdecd9837f0895ee6568f97b3cfd

SHA1 hash:

a4df92cf9adfa1c7d26f6d19923cbfa4cbfc596f

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

SH256 hash:

9af1ae48be7f05c2811ce53b4b47ec1c616e381f3e284574f4bbc7e2a18869e8

MD5 hash:

09b0210505d58e14e6b8fe4b72cadb04

SHA1 hash:

8b5af3f422d7531d9d6a0cdcd099441738e2fb74

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

SH256 hash:

6ffb24c0c36fb44c26403be605a76b2d0ec5292ceea602be376941c3684c0158

MD5 hash:

a6e61bd69a832986e94a632e7bd1cf5f

SHA1 hash:

0fbb166e707f97ae0e2728d00cecde8aa569d5a6

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

SH256 hash:

4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f

MD5 hash:

3d4d0e9849037a20eddfec5ca7f109cd

SHA1 hash:

dab9c055ec8b649dbaded7edcef7c581a93a8a10

Link:

https://www.unpac.me/results/06597b3a-6f5c-4f60-a1cb-adda40c1d757/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/4824b8067be640a2d7cce93410e6738ac1951d9b4f3f79325aa2067f82acde6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308468/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample