MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
SHA3-384 hash: c688143ebfec274e3d5acaa7d15f5cea4c24ee0adc31c50704df51c730fc208ff2c4b743db3c81ace237afa390552ecc
SHA1 hash: 1d48e601e3ba392fafde82b4a7fc0a39fba0a382
MD5 hash: 180165361384e56db00389733f0c54f5
humanhash: nine-neptune-zebra-avocado
File name:shipping document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:730'112 bytes
First seen:2024-04-24 05:12:58 UTC
Last seen:2024-04-24 05:28:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:yNgLeFR6IXlv312Z33NUiiVtMrT5Xgb/ToMiliQNDksybWWcirgNw76c/Xz0:mXJ312Z3uiUrTAi+yaWBrvB
Threatray 575 similar samples on MalwareBazaar
TLSH T179F4225133EA4912D27C1B760CB940115BF2F85A6A70C3DC8DE294CB46D3F0A8EB5B6B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon ccd444444444d4d4 (6 x Formbook, 4 x AgentTesla)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c.exe
Verdict:
Suspicious activity
Analysis date:
2024-04-24 06:54:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/769410c0-f70d-471e-a916-c8881cf35683

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd44dce3-5ae6-4997-8e2f-43fffa3442c0
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430793
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430793 Sample: shipping document.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 27 www.tondex.finance 2->27 29 www.tavernadoheroi.store 2->29 31 19 other IPs or domains 2->31 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 10 shipping document.exe 3 2->10         started        signatures3 process4 process5 12 shipping document.exe 10->12         started        signatures6 57 Maps a DLL or memory area into another process 12->57 15 oWRaEnEJAq.exe 12->15 injected process7 signatures8 59 Found direct / indirect Syscall (likely to bypass EDR) 15->59 18 openfiles.exe 13 15->18         started        process9 signatures10 39 Tries to steal Mail credentials (via file / registry access) 18->39 41 Tries to harvest and steal browser information (history, passwords, etc) 18->41 43 Modifies the context of a thread in another process (thread injection) 18->43 45 2 other signatures 18->45 21 oWRaEnEJAq.exe 18->21 injected 25 firefox.exe 18->25         started        process11 dnsIp12 33 www.heldhold.life 203.161.46.103, 49750, 49751, 49752 VNPT-AS-VNVNPTCorpVN Malaysia 21->33 35 tavernadoheroi.store 162.240.81.18, 49754, 49755, 49756 UNIFIEDLAYER-AS-1US United States 21->35 37 9 other IPs or domains 21->37 55 Found direct / indirect Syscall (likely to bypass EDR) 21->55 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-04-24 02:51:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdfhbqa6q4cdimcmzvii56enqjfy2pevrdezaqbnvzcquxsw646a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28e94d28c0ef766cff0b765f103a336c4d7657460cb1e811b1a16e12c645401d
Formbook
3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
Formbook
635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b
Formbook
8cb37e1ab48747e7fb63dd2ac1bffe1c9f0fa98c160613922a995935d6abd2cc
Formbook
955f2a6426664a728fde4871d6309cf821c17187b4671e3917d83dc968d36e96
Formbook
99450e636243dad54861d58c1e62fae329b69b4c9af6ed1f53fba851d20b2fa7
Formbook
c7a16881f8c69d16a9b0bdcbfdd5c4aada81eba19521d1c03ee7f6005f7d6629
Formbook
f24092f3ff18dc8a33a8e87f1cd0271aaeb22a1d5202ddf59979b4b8d0d784fc
Formbook
+ 565 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240424-fwed1sfb65/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
32bf6832143ab8b98107d3b25754742ec33ae043ff125d27869caa287023515c
MD5 hash:
16e913c65371613cb6dd1af205ac6efa
SHA1 hash:
6b47bd848cd17039b60b6e9c80627c2516f19af8
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
SH256 hash:
d901a47b5b4ea6bf997e5838a1f0966128bdb992e60962b0b334e50d0babaa53
MD5 hash:
80ed8eba3fe3c574e0a540cbc79488aa
SHA1 hash:
e6065d954bbf8a45daea1d9ef9fcfaac261ff88c
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
SH256 hash:
5b2e63a3e3a123e47fa42aa5ad67b66ce63434fa616b44764738dba39cd93df7
MD5 hash:
83be9f4edfaf60ea444a25ba20d9b583
SHA1 hash:
e2967a2927f4faafad7fcb5298730d4a756d2645
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
SH256 hash:
1c633f39a192f108f755e0bcf412e8489ad80781f3b7807c80892deb2526ff0d
MD5 hash:
e4b5d57e9e46a4e76075b5b92f71577f
SHA1 hash:
d76dc165724148193c6911cc75fc62c198737d3a
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
Parent samples :
d89ea6a01347b82f963ed7960583e5d76c6a07e91852fae83bc290e0f64a06b2
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
SH256 hash:
a3de65d9607fa28995b6d60b0ad501d36107454865c7a74e8121ec11320ae565
MD5 hash:
7dfefede4d4b4d15fe2c4d83996e9e1a
SHA1 hash:
62e0258f0a8d23d17225ff7ad0b304ab12a9fd6a
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
SH256 hash:
48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
MD5 hash:
180165361384e56db00389733f0c54f5
SHA1 hash:
1d48e601e3ba392fafde82b4a7fc0a39fba0a382
Link:
https://www.unpac.me/results/eb9f80ee-dc0a-4dd8-a9c8-24fdbb4ca63d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48ca70c01e87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments