MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
SHA3-384 hash: 037a66205e91185934802ee670656743659411b17b2061e3a5cd0cac190ab6504237aaaa9a8b0427f5a3ca10d5542169
SHA1 hash: 69be5027543c20ef71c06d00cf8d2d33cf9d51f2
MD5 hash: 2f3a3cfb5b91580e6d87e8642f9d8439
humanhash: maryland-salami-edward-ink
File name:FedEX AWB AND INV.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:693'760 bytes
First seen:2023-08-02 08:55:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:K+uZw/YmJ+37zZaI3So1Ww2TndPGSOhT5aU1Lt23+8HcjjsG+aHD8:K+uK/YmQ37zZaIl1GTdPIT5PE/cjI+D8
Threatray 3'446 similar samples on MalwareBazaar
TLSH T172E4233015B4EF2ECA3B0BBE0971405113F2965E3530EB2E4F8576E96A317825B56EF2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2e29a86e6ea8686 (13 x AgentTesla, 5 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:exe FedEx FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEX AWB AND INV.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-02 09:08:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b42b122-a029-40d8-99f5-0775cc37b824

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439786/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68455127.14602.15984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ca1a2358785b2ae2186bb3/reports/7793397a-7c24-49ac-bf6a-b0b2b108e54a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/339b25d7-6c35-44a2-a841-47757655d3ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1284260
Signature
.NET source code contains potential unpacker
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 14:15:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jeastxz3t4kiwj7yowrt3hsnlbfdi4bfbvdll32373rtmzcaqgya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
Formbook
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
Formbook
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Formbook
4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
Formbook
5348bcccead193b46acc11339b9c3ff05395753d536a0952641af34382e08604
Formbook
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
Formbook
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
Formbook
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
Formbook
fca144f13d2819b16b527620ba2e1d844a41b3b91057b869751ff004ac6d9d3c
Formbook
+ 3'436 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230802-kv1m3seh7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e19264c74d7e9e7bdb1285d3ee5e917860eeeb9fe8687b32db67706eaa31281a
MD5 hash:
542ef80ceb62960eb33fbe6032e7d61c
SHA1 hash:
6e68147757bfb122d5915751ec99e454ee46923d
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
Parent samples :
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
bfb1e4ae02e8f53a6d2023eeda4399be5502b9ab99770c9c3e4bfde0548a459b
490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
831fb5c161081d10c2e952ef793f5db28c5aba8b7e0e858aa1e755481b875baf
SH256 hash:
11b0695e4b2ff83ae2454447092e1ca84581d3341dba1433fba718f13851e575
MD5 hash:
18462fcdfc6d9057e79fed9ef4d57d79
SHA1 hash:
427f69305ee749e27fd865cb220a2a79d5c037a0
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
SH256 hash:
ce70b762f00b1f1f5b5b608df8944663757b444a9a0073efcebf373097b78511
MD5 hash:
140c5dfc819673474867dee81b42c5a0
SHA1 hash:
dd3e61e55bc2a9fae23b0932ba330e69b5521247
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
SH256 hash:
04f6627aaa074ab0cf9f0b2e8a247a1e223c2c38df9f6ccc83ed06558d5ee879
MD5 hash:
d4b9d6c2140738a06b4f2ca8be974ed9
SHA1 hash:
8b2c6616851dcbe41df59ebcdaf025f2cb17f68c
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
SH256 hash:
190d10201410fc18054de7f17a4cabdfb593ff9bfcef49ba84bba4f42e4238d0
MD5 hash:
c63755c0167db419facbab9004c6ffc8
SHA1 hash:
40b860af3797e7470a818176e87b497c3ad803be
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
SH256 hash:
490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
MD5 hash:
2f3a3cfb5b91580e6d87e8642f9d8439
SHA1 hash:
69be5027543c20ef71c06d00cf8d2d33cf9d51f2
Link:
https://www.unpac.me/results/76b21293-5fd5-44e2-bee4-96b7bd98b47d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439786/

Comments