MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 2
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
SHA3-384 hash: be8c69ea9f635b8cef98b97483d00ff36a8627c94e7902001478572aeef632eca5048960c4e89b6c7cb027ed21aa4f51
SHA1 hash: e4c14aeb70a32cc48742dc6326f5dae6ad6b10ac
MD5 hash: 33b47b2cc80b7b1ebd78716c7075871e
humanhash: missouri-beryllium-july-twelve
File name:33b47b2cc80b7b1ebd78716c7075871e
Download: download sample
Signature Formbook
Create hunting rule
File size:437'248 bytes
First seen:2022-03-08 17:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:sM6Cfs1PBsx2wevhkvJwpZGs3BH/Xfrx76jZJdCWIOxZafjbg12BxEkteCfYc:sIfsRBsxS7pccB/DQj/dxIOxgjbg1ol
Threatray 132 similar samples on MalwareBazaar
TLSH T11794C05BFB16D1D6C85E4F3DECB19A280728EB30F976631371856DEAED321DB2840464
File icon (PE):PE icon
dhash icon 69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248396/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62279abedfdfa8501c7b700b/reports/e3b7a0eb-54c7-4ee6-bbbe-4f4caccaed4f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76721415-9c86-410a-93ff-2f05ec86c810
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952825
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 17:32:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0045e4acf0984e3982a7b0c31f8c36ce86528657bf1a41c2b5cefc71b75e9c01
Formbook
0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463
Formbook
152a8c9badf0872103ddcac3e770febabcf4c076197347355ef2a811f935d87f
Formbook
69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553
Formbook
6c5d65e162cb2bff561f42d4dcf1ad21a448cd19affc949b983eb4a08120af04
Formbook
70b7329553824ba9b15c2aa19172782ed7a731dba67dc34597e1a25775ddea26
Formbook
b4433e10d6b0efd343e586a877e4b9823efe364c2e193a3943c7a7352837ebed
Formbook
d8079b19aa1f119485291950ae0580757618dd23c4d18eed64e06aa3a86c1751
Formbook
e4d309967904ca32fa5a00e70161c95621c687e46f2512bac1f061b0303fe863
Formbook
+ 122 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vfm2 loader persistence rat
Link:
https://tria.ge/reports/220308-vzvmqscfal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
94776304d3db40226d09f68f13a0c4cea392e80b8de6616b8f83affa006cf289
MD5 hash:
09791a1a6a77ddf2e2e1781c69e055e7
SHA1 hash:
9aa30a78ae24fc122948a4ce9aab4f54d9e7f3f3
Link:
https://www.unpac.me/results/16f1cd03-8d87-4e50-8e6f-81d14057a8fd/
SH256 hash:
812e00ad68a231fd14b34619b782e2230a9563aa0fcf1c8082c58911223e8250
MD5 hash:
32a4d2f6d7d184c27b3392e67cbc415f
SHA1 hash:
e93c5c4ab350747a0c118661ded74be70c83c952
Link:
https://www.unpac.me/results/16f1cd03-8d87-4e50-8e6f-81d14057a8fd/
SH256 hash:
aebfe918b516192a6ecdad451f90e8ae597b91d8c650be89363c45d20f5a41cb
MD5 hash:
4c3cfedf5d918c8277075db324ba11de
SHA1 hash:
eca39c0b3ec056a38e9c3a75902a40af9480cf2e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/16f1cd03-8d87-4e50-8e6f-81d14057a8fd/
Parent samples :
4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
94e8308989d63f75b02e89c5d30e01d9d7dedbf7bb446d3aa6fb83b6e20bcecc
3354bfb1dd06bae0110dac4363b13fde838e8299af8d9acb67fe5a39ae4159bf
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
19d34ef30d521849caa19f1cf2adc2f4c8097483cfb436ff6066ad60387b630f
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
SH256 hash:
4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b
MD5 hash:
33b47b2cc80b7b1ebd78716c7075871e
SHA1 hash:
e4c14aeb70a32cc48742dc6326f5dae6ad6b10ac
Link:
https://www.unpac.me/results/16f1cd03-8d87-4e50-8e6f-81d14057a8fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4ba1bb8220fe9f1c374cf2583459ac05af4ecf4a0ed023f42cac04da0dd0ea8b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084585/
Cape
Cape
https://www.capesandbox.com/analysis/248396/

Comments


Avatar
TomU | I'm still here... til the end commented on 2022-03-09 17:21:12 UTC

https://urlhaus.abuse.ch/url/2084585/

--- mail headers ---
Date: Tue, 08 Mar 2022 08:36:13 -0800
From: =?UTF-8?Q?Liliana_Garc=C3=ADa_Rinc=C3=B3n?= <info@siafakas.com>
Subject: =?UTF-8?Q?Fornecer_cota=C3=A7=C3=A3o_para_os_itens_listados?=
User-Agent: Roundcube Webmail/1.4.13
Message-ID: <53e968bd4aa15cff2a12d3ac22c34240@siafakas.com>

--- mail attachments (spaces replaced with [_X]) ---
a20bf16c81acff33a88c3cef97cfe850 ./PO-8372929.xlsx

--- mail attachments (JBX fileinfo) ---
filetype: CDFV2 Encrypted
filename: PO-8372929.xlsx
md5: a20bf16c81acff33a88c3cef97cfe850
sha1: 35ae3bf2d0878e6309329ff80f0e4cfd85eac1ca
sha256: 1aa327a5b07efcc63ef5b84f6fc7cb217e012106c2805b4726841d96491098c3

Avatar
zbet commented on 2022-03-08 17:25:56 UTC

url : hxxp://107.174.138.144/kmk/baa.exe