MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments 1

SHA256 hash:	4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8
SHA3-384 hash:	7c80d336bb2f9f6b2b598b0b1d00b411ebaa0b0ce93471f15a3208af04d9273307d99657fd56cedc40d4392282b4e76b
SHA1 hash:	721bb94b2a06d047862aeb81f3f054d1f1b8cba2
MD5 hash:	58155673d0d47b5ee20a25ea89b07f23
humanhash:	purple-tango-oxygen-kentucky
File name:	58155673d0d47b5ee20a25ea89b07f23
Download:	download sample
Signature	Formbook Create hunting rule
File size:	258'844 bytes
First seen:	2023-05-08 00:11:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:vYa6M/FcMInoIUE3rxNIQuVKJRpnA8JYdDYx9o/FW:vYi/FS8E/iHdG
TLSH	T1B94412A4651AC4BFDDB70A710F3E0377EAB269332438930B1B209A4D7E65795C91D3B1
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	96e8e0d4d4ccb2a4 (9 x Formbook, 6 x AveMariaRAT, 4 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

58155673d0d47b5ee20a25ea89b07f23

Verdict:

Suspicious activity

Analysis date:

2023-05-08 00:12:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a57d8034-ea9e-449b-85fb-0a4294ea0461

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/387351/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.22782.20832.11479.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Sending a custom TCP request

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/82985/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo nemesis overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/64583e56c2315c7ec20e5896/reports/653381e9-1afb-483b-83fb-f3196c25ed66/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4689e233-af37-48b2-9b83-86389a854158

Result

Threat name:

NSISDropper, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1227899

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-05-04 21:42:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=joulxdaiylfgaditlgzvgoxrwuhjgcbylayf2mqngdpepkewkk4a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230508-ag6xtsab3v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

df8dc0938d61d12249eb00a41c36e2d18cf3bb428a8360c1ca0ab298813841f9

MD5 hash:

1c665a60d2aa2794dba39198dbaafd42

SHA1 hash:

a9bb9e549769d7dd23e6160900299d076c582220

Link:

https://www.unpac.me/results/e1fc4840-ecfc-40ef-87c8-293f853aed9c/

SH256 hash:

4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8

MD5 hash:

58155673d0d47b5ee20a25ea89b07f23

SHA1 hash:

721bb94b2a06d047862aeb81f3f054d1f1b8cba2

Link:

https://www.unpac.me/results/e1fc4840-ecfc-40ef-87c8-293f853aed9c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ba8bb8c08c2ca600d1359b3533af1b50e93083858305d320d30de47a89652b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.