MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82
SHA3-384 hash:	412d295e663cab64521c04579351ef6901b7c147610b51a5421c523dcd9d185819b31c846bc503459e0312d7a39c0662
SHA1 hash:	e56fa55a069dc855cf50824ec19cb1ffa3de0eac
MD5 hash:	a8e3000ef6b901fd856fa47d729e3183
humanhash:	vegan-early-march-west
File name:	a8e3000ef6b901fd856fa47d729e3183.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	634'880 bytes
First seen:	2023-04-14 06:53:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:Pf2iNfi5ThIr/B7iFf1ZhWz0K93O+MT520rCty:Pf1xqss3Wz0cO+MKt
Threatray	2'516 similar samples on MalwareBazaar
TLSH	T103D4126A70A99F11C5BF0BFA5CA2310523B6259FF432E6DD0CC621ED29663B00912FD7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a8e3000ef6b901fd856fa47d729e3183.exe

Verdict:

No threats detected

Analysis date:

2023-04-14 06:54:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa5389cf-cfd4-45e8-bf59-9405726d66db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/382198/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed unsafe

Link:

https://www.filescan.io/uploads/6438f88bb4ec50bace6023fa/reports/42bd6c07-9e4b-4cb0-b9f3-033bf5ae4650/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5787ffea-14c7-49cc-b13e-6ae0fa3ab10a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1213735

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jhnk3yzkalfnkufjbgw5jdmyvlddvqomz5zjowgxbgmxlljfzkba._file

Verdict:

malicious

Label(s):

formbook

Formbook

17483ba2526d9ba490c29dc88e5c1a066b0c26f22243e02d312542a53f292393

Formbook

42f025f744bb97509425ac749ada6c20ef6439d193e537a013b981ad4d21e124

Formbook

5267caaadc1e9d045e08de329de614b3b85f615aeec1a5927c32cfe82d493d2c

Formbook

5e86212f51e61517dde3cc7d0c36b73a392816d73e18bd14d83b374bcf17ecf5

Formbook

80c6293d18c38b686ea6ab60d134247f8d72553be2d20a305b94c78115227667

Formbook

c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869

Formbook

d744371010d5b494046c105db860eacdacd4b639408c7543407ab426f5bf4808

Formbook

f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb

Formbook

f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad

Formbook

+ 2'506 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230414-hn7rpsab91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7f0becc3402c74aa7ffefea133dd54fc093d471b913877e8c4e756dccf6fb82d

MD5 hash:

e31ec0d2aa543ebc66c1e4df989437f4

SHA1 hash:

adf1135d64e92b51d62cff47a567f81fb08b261e

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

Parent samples :

c3a43716e23c04e5c2630c2e7f8e6911443fe4faa38e38ee1e5e60a8ecc24869
49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82
d744371010d5b494046c105db860eacdacd4b639408c7543407ab426f5bf4808
898d893d7c46d0c70d498f0323b24175c4d49df99b88f57d30aef08cb3e3edca
a3225cdecee4f51aef9815859cdbaa70d5ce3b5e97d52518a5e0c5e2ac5deb12
61abb254011d46a438c4e736cef97d8a2a51483f9fe6903f693479cd7df643bf

SH256 hash:

3f386183a3404f5946c68d418d6c42327e9677859531a10dcb5f5b5753c1eb52

MD5 hash:

1289d074a7dff19b5913e8a8ab2a4397

SHA1 hash:

cf3920ef03251ab39e0208ebd08aa6a526c112c3

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

SH256 hash:

ea15a3b92c7a5576febba52dc0f3dbed02b81b45b027727137e957aa23380059

MD5 hash:

0dfbe08ed0f86f632fbf2426b3485463

SHA1 hash:

d6af5f31183ebabff70be5ac4b1b42612d8f7135

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

SH256 hash:

5c5fa93b084f48f96431a9f630a2671a2e41434196984d2fa03db412e4cd4d53

MD5 hash:

276cb425524647cb7dd83df5f6be2ea2

SHA1 hash:

b77199a4cd4ce6a5e8ce7ac9b43116361a3c2e34

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

SH256 hash:

c637a2b912cec586eb9eb9ee374b1a44400927f661eb1e9e959ffe0338a527dc

MD5 hash:

b724fbf2a4514392e6de7533113075d0

SHA1 hash:

47445e97aa1afb4b30443009f9bc283e5eae3b7b

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

SH256 hash:

f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1

MD5 hash:

567bbf43aac601560b1def4a872d4089

SHA1 hash:

21dfc6e6ecf39c9c23927c114ca911559ca4593e

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

SH256 hash:

49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82

MD5 hash:

a8e3000ef6b901fd856fa47d729e3183

SHA1 hash:

e56fa55a069dc855cf50824ec19cb1ffa3de0eac

Link:

https://www.unpac.me/results/d3502c02-616c-40e4-b343-b9ce03d7113b/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/49daade32a02/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Dotnet_Hidden_Executables_Detect Create hunting rule
Author:	Mehmet Ali Kerimoglu (@CYB3RMX)
Description:	This rule detects hidden PE file presence.
Reference:	https://github.com/CYB3RMX/Qu1cksc0pe

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 49daade32a02cad550a909add48d98aac63ac1cccf729758d7099975ad25ca82

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2298641/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/382198/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample