MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324
SHA3-384 hash:	3760eb76624d364a859f1945f0365768a278f4ff4cf09b77cb118c1cc658e591566459fe92596bea68570ca7674bd3d8
SHA1 hash:	bf2328c1d812a511afefe8b390f0645ed5acf17e
MD5 hash:	19bddaeb1d8938d66673c1112d8d471c
humanhash:	social-oregon-asparagus-foxtrot
File name:	19bddaeb1d8938d66673c1112d8d471c.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	356'416 bytes
First seen:	2023-01-12 15:46:51 UTC
Last seen:	2023-01-12 17:36:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:/Ya6CSz3M2skORlRU6dRqgcj3iaQ6UB0tCA6CT4MaBXazV:/YVbM2svlRHdMgcjBQlBrpMxV
TLSH	T15B74262C12FB827DE0C0E473E6A74A71A5E44C1FFC8499D6A6587C2D39BE4E5420DD8B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	62c293b2eacebeba (1 x NanoCore, 1 x AgentTesla, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

19bddaeb1d8938d66673c1112d8d471c.exe

Verdict:

Malicious activity

Analysis date:

2023-01-12 15:50:12 UTC

Tags:

formbook xloader trojan stealer

Link:

https://app.any.run/tasks/c78c15a4-ce59-4b84-8944-886a660a0cae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352344/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.8403.486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Sending a custom TCP request

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63c02b7da8d8c7dd03205b26/reports/7af1adcd-f07e-44bc-95c3-7d3fe5dab6ad/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fee43984-504d-47e0-b0a9-22db2a2e3cb8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1150474

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2023-01-11 17:17:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 41 (60.98%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jg45dumnwmkbnguwlxmhhr4bdmcvm5osgqvbt6bknrfnhq5f2msa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:pe63 rat spyware stealer trojan

Link:

https://tria.ge/reports/230112-s77wxsge72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0256182d-5fa4-4d4a-b175-393d375a7407

Unpacked files

SH256 hash:

86610d8301d5a02b325c12fa05b79ec40cfad7f208638d56a7fc73abf4fb4ee1

MD5 hash:

6acfaba232d9c65a1317a90997b183b6

SHA1 hash:

40641ff46fe66002959e38e77fbd5b02dd277563

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/4cf8fde9-a07d-4948-a751-2fe7629843d8/

Parent samples :

f7bb2d35300a95c164089832c13410023d2293390130109ae3693fd0d05a3df8
6939dc228a639047d104443f9ac4081aa719653b18aaaca6407ccc9e925fce30
19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af
49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324
afbccae6537d0602edbc99ef03ec8b89ec23df241079f949c0b8a0aa6f9aa8f0
8dbb132dccc8fb8a83062fec3840b1556a75862c07d22a0740ca095698ed0f6d
d22aed126e64e2ca691c2b8779d7e18f557de18757ba56e265608890960cd09e
520332210fa79a3628b8a514f18ba872117489cb013809161629d1443d8ae800
909735e8a902e299207563464959d2b7a8d3821e74cdb1aade9a17162c599e23
fdf0c7d08d92b27b19cd74779d71066a5605f3389421a4b9f3e50276ed7223ea
734bbe06c909b28854008cc74bfb94d4bcb19d5e9d1c58bc5e00da61f85c4cfe
78ec1f0df89f01bef78e2b508a8980f38fffc556387be3972ace6758f0441da6
9c1292869bf34d5077f8f2bffd19ff671a0dcd996734c3d8af1e484cac42d80d
0d8e7bb7da2c64a94fc9b21f1a39079b7ac761ff4797c7091eaac4dd9b07473b
7a4cbe6918c174321d777bd64c6cd6d8c6a3ba69c07a43ca357a691f0ef6a480

SH256 hash:

31a0f6442eadd15f5488eb2fc707549e5664cbeb0236a3dfa4d57f8a457b9b17

MD5 hash:

21fabae50803b642712c3a0aa78db179

SHA1 hash:

3271a1cebe0865202f5699a160e3df542dce3751

Link:

https://www.unpac.me/results/4cf8fde9-a07d-4948-a751-2fe7629843d8/

SH256 hash:

49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324

MD5 hash:

19bddaeb1d8938d66673c1112d8d471c

SHA1 hash:

bf2328c1d812a511afefe8b390f0645ed5acf17e

Link:

https://www.unpac.me/results/4cf8fde9-a07d-4948-a751-2fe7629843d8/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49b9d1d18db3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 49b9d1d18db314169a965dd873c7811b055675d2342a19f82a6c4ad3c3a5d324

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2503639/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/352344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample