MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
SHA3-384 hash: c83ad11c1bf7c8fa62bec50b6d97cd8e75d47c818fed0e7f25a8c886d85b15807c68980ce7b7fe2c28372b8137e510f8
SHA1 hash: c5bd732de668750a0226dfeabc6fcdfdd9a1cff8
MD5 hash: bf4c4e76754d282260b0c9a35e3eeeeb
humanhash: chicken-jersey-winter-oxygen
File name:Purchase_OrderNo21320232024.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:637'440 bytes
First seen:2023-12-02 16:44:24 UTC
Last seen:2023-12-02 18:27:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:6C6gJUIYdyU0TBHuuBJzIyM5M+Qh1nu4dl7sc4udzxd:KgJu8UAIDLQHuGl7snulb
Threatray 958 similar samples on MalwareBazaar
TLSH T1CFD4120A23695752D9BE8BFB74D0840483B3BA179155F25C0DD220EF7B72B418D92FAB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 30e8ccd4716961e8 (15 x AgentTesla, 3 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461925/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/656b62a6380413dc0c2c500d/reports/da30aa8f-a579-4bec-9456-21a43c1cad3d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50951a53-8455-40d8-a4c8-c418b171511e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352150
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 11:07:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjpjbl5rfp4w4yncgpzieslv2uu4ok223yrgd5m2zd22bypcilwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2098a0c04c68816feb9f55e8de37b4de35fa819850dda0390559f1f83ec0d6b7
Formbook
237694adba91b73248b5c823bfbcc1c2169ccd44871be880926a6bdb6d665540
Formbook
4a182c398c109d1c4863ef54ce1a34461547d9437e99c62d3f11853cebae39c0
Formbook
722d2203c16ee92a4ca9476191a40da3ee3cbed17e0b810963ffb1d4e08c887a
Formbook
d42c0f3feb463d2bc5899d453f2c5cc05efc8c4a63dff73982e0d0447f41a4b0
Formbook
efe39c5110b88d729074100bc89af380138174b641501f76eea1a8650ac88c8c
Formbook
+ 948 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o07d rat spyware stealer trojan
Link:
https://tria.ge/reports/231202-t9dxaseb46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
0d01a55d950be4a12a097c6e08b78d3d659ad0cdff4ea4dcfebe6c782d45750a
MD5 hash:
df349e5e18c5c1aed3ae0a21f78174ec
SHA1 hash:
7b5a145100d9cafba003321a564456b7e6e561b6
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
Parent samples :
ecaa8fb67add255be2f367877538a5b2c3db6be3b3c00663b0e28569effa68b9
4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
6c5a9b4eec9d4bb7e7db05662c3c0d370afd28510b3fdbe7639af75fd1e573a6
SH256 hash:
eab4b15edc4c8e0c0dfd43ecf63e30f8feb0d591e59db849f37acc849988f043
MD5 hash:
d17418588b8c5e0050445ab16f24d2a0
SHA1 hash:
f7b9e0784562a40f0a7db840620ff37cf2d45f47
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
SH256 hash:
bc99dcc182eaf17394c34611c1aef4ad45c3079ae116c19caa17620d64c39f7c
MD5 hash:
84fe0cc42b4f30e7b6f58c92f9ad3d56
SHA1 hash:
d753cc7cc8e2927f9cde57fb67b5bceebd2f5fd2
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
SH256 hash:
0e8a5f6bd3e915b9d2fae9428730dc5017348d23b622bccbb1971e352052734b
MD5 hash:
56feb04fdc8b0453c62267ac204ed555
SHA1 hash:
7d41fb41cac90bea85cb6691a5945568115cbcbf
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
SH256 hash:
c21b6fd7ec0b3a56e0ff61fbca397d148bd16b30b22d87b73a043788fa68b160
MD5 hash:
d1ff7e07981e3270f0a49e91a9c1ebd5
SHA1 hash:
2a8d51d522e9b13480271aeb820dd36a3e80ea0c
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
SH256 hash:
4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
MD5 hash:
bf4c4e76754d282260b0c9a35e3eeeeb
SHA1 hash:
c5bd732de668750a0226dfeabc6fcdfdd9a1cff8
Link:
https://www.unpac.me/results/c89825a6-17f8-4a8f-b889-44e4a4dc7ce4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a5e90afb12b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/461925/

Comments