MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
SHA3-384 hash: 7664b3dc30f4c6313cdfac5a30d06c278d0f01bb62b6b0fd58004ca153f2afabebcf204baf0761c391ee28815b76c5c1
SHA1 hash: 66804ca3acca658582d71e269d0f5a75556bbf67
MD5 hash: 2fc9552b8ba5dd08a67bfce7c35fbcc9
humanhash: wolfram-angel-asparagus-alaska
File name:2fc9552b8ba5dd08a67bfce7c35fbcc9.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:854'016 bytes
First seen:2023-03-15 15:19:10 UTC
Last seen:2023-03-15 16:56:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:hiz2uaiJGRTwd1LfazM46NDil+DXiFYKxH/sIqVhbc0oP1iESOQpQxIwfpyv6t:1uHJTvTaY461DXBKxH0I46P1iofb8
Threatray 122 similar samples on MalwareBazaar
TLSH T1A805014C662A1B66CE6C33FB8462355493B1AA588301F37E5EC564E71FF2BE4D901C8B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
RUS3109Y51.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 09:27:16 UTC
Tags:
stealer rat avemaria loader warzone
Link:
https://app.any.run/tasks/e2bd1d99-9dd3-4bcd-b8e0-76305fba663c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374579/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65941905.32054.16741.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6411e226b6216cc97f2de86a/reports/8230e238-cbb7-4148-b824-f097645a0e6f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93355486-b8f7-4fe0-812b-b2cc6609d23f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194270
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 827171 Sample: X6yu1q9YBY.exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 3 other signatures 2->68 8 X6yu1q9YBY.exe 7 2->8         started        12 BftTlDYOR.exe 5 2->12         started        process3 file4 48 C:\Users\user\AppData\Roaming\BftTlDYOR.exe, PE32 8->48 dropped 50 C:\Users\...\BftTlDYOR.exe:Zone.Identifier, ASCII 8->50 dropped 52 C:\Users\user\AppData\Local\...\tmpF4C3.tmp, XML 8->52 dropped 54 C:\Users\user\AppData\...\X6yu1q9YBY.exe.log, ASCII 8->54 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 X6yu1q9YBY.exe 8->14         started        17 powershell.exe 21 8->17         started        19 powershell.exe 21 8->19         started        21 schtasks.exe 1 8->21         started        76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 23 BftTlDYOR.exe 12->23         started        25 schtasks.exe 12->25         started        27 BftTlDYOR.exe 12->27         started        signatures5 process6 signatures7 88 Modifies the context of a thread in another process (thread injection) 14->88 90 Maps a DLL or memory area into another process 14->90 92 Sample uses process hollowing technique 14->92 94 Queues an APC in another process (thread injection) 14->94 29 explorer.exe 1 1 14->29 injected 33 conhost.exe 17->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 25->39         started        process8 dnsIp9 56 www.tiflovector.ru 195.24.68.5, 49700, 49701, 80 RU-CENTERRU Russian Federation 29->56 58 td-ccm-168-233.wixdns.net 34.117.168.233, 49695, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->58 60 5 other IPs or domains 29->60 96 System process connects to network (likely due to code injection or exploit) 29->96 41 explorer.exe 29->41         started        44 autoconv.exe 29->44         started        46 wlanext.exe 29->46         started        signatures10 process11 signatures12 80 Tries to steal Mail credentials (via file / registry access) 41->80 82 Tries to harvest and steal browser information (history, passwords, etc) 41->82 84 Modifies the context of a thread in another process (thread injection) 41->84 86 Maps a DLL or memory area into another process 41->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 06:26:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 39 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ja62tzf2if3ey5vym3pz33i2ddfgogsyttle5yfnklc7m3naqwdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
34e23668337ce3dc96cec4ace686aa660d2935b1aab8f94978257a7012c2bbb4
Formbook
60f594736fc96f0657680d022bd9b9117a4a7d08c1e80812b29d64fa69f814a3
Formbook
77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6
Formbook
7a4cbe6918c174321d777bd64c6cd6d8c6a3ba69c07a43ca357a691f0ef6a480
Formbook
80b80845ee4a8518871ba71bba822baf33341129eb94c1f512684c613133c3bf
Formbook
9869161f7e5c3db884c0c8d55a4b02bacc81519e57f103a4c4d206bdf7fb6161
Formbook
9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
Formbook
a2bc978e30782179dc78f41866e3933bc0e76b0d18aa24bbc22733cf1cb9cc5f
Formbook
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
Formbook
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
Formbook
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230315-sqsqnsdh47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
8e43a1d677bc954f55f591fe65056e38f2dd689005d4bb429f8e071703b30db9
MD5 hash:
dfdef15d3b8edf6bc697bdb6ee4b094f
SHA1 hash:
bc9d48d43418f0ac5dd3656db5294bbb4852f6ec
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
SH256 hash:
69d8d8d9bcb48ca8155b9c2d281375c70eeea8c5dd78261b11fb01f85af2470d
MD5 hash:
47b7ee85ff27a8f754e67c1c8f5ec831
SHA1 hash:
f08ad6f876fc4e04ba4485745ccc314ab5d0299a
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
SH256 hash:
e571c95286577fb41932037483755b6e586405e4040140111668acdfb7ffe013
MD5 hash:
4e2373b55cf8ee0ed1bb9a51f5e32f5b
SHA1 hash:
df79d65c0ca6b5fd7e459e32639dcb3980e5c490
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
SH256 hash:
062f1fdcb49443e9cf75a8f056d4a8e70b2b61d4b111e66fa8117cb8e90e3b04
MD5 hash:
c66d068e7f5a3a68e122e7f88b782317
SHA1 hash:
c489486b0730a9923b77b2ca8e1eedba0214619d
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
900604b97bcdc423a6fe8980412c5bf39b3ac913fb202c07a3f1ede1125b9669
MD5 hash:
773d5adce2fd0ea58436d150256d54f0
SHA1 hash:
1986e82ef0cd50febd6de65121132cac6d328844
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
SH256 hash:
483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
MD5 hash:
2fc9552b8ba5dd08a67bfce7c35fbcc9
SHA1 hash:
66804ca3acca658582d71e269d0f5a75556bbf67
Link:
https://www.unpac.me/results/0d0ff035-343d-46be-9baa-665334329ca5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/483da9e4ba41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/374579/
  
URLhaus
https://urlhaus.abuse.ch/url/2572448/
  
Delivery method
Distributed via web download

Comments