MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742
SHA3-384 hash:	2d862db3d0147787bbdfc05211adb631aedac7ad3a610a6038e6d56e4bf3828d8d496013027586e31ea71ab48612d5a9
SHA1 hash:	10cc4273cfbe1f0876696fb0e046370b4f4f26fe
MD5 hash:	f4a17b8e7d924cb0981a717aa945117e
humanhash:	emma-louisiana-four-august
File name:	Items Description RFQ_STE sa_Argentina..exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	700'928 bytes
First seen:	2023-05-22 18:19:25 UTC
Last seen:	2023-05-22 18:38:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:1tJx0YPX/NqPs6UQHPLzbQexNf8t8TPljvyqQ4HYQyC0UvYU0yyRw:1t8HPs6UwLzbRf8teljaJ4XB0U
Threatray	2'948 similar samples on MalwareBazaar
TLSH	T108E4F1D166948D10E6975FF959B3F13403B96CA1EB23C70928E46D9BBC62B813B10BD3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	224472b2a0c04280 (13 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Items Description RFQ_STE sa_Argentina..exe

Verdict:

Malicious activity

Analysis date:

2023-05-22 18:21:22 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/d06a881a-390d-463e-90fe-282db03a3424

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67164735.14853.3379.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/646bb25c495591a75df50c7c/reports/faf5d8b9-ae7e-4662-bbca-4b0afcae3446/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29c911ce-8592-411c-a4c3-084a748a1b32

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1239948

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-22 01:23:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jovl7hrr74ps73eputzrmxkuk2bwymdvsg7yqqhmlkahi5m745ba._file

Verdict:

malicious

Label(s):

formbook

Formbook

47c74b216015a03abc6bf2a786c4c760fe23f5ce920c9a0ed6e68aa340568e84

Formbook

98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86

Formbook

9b2e05373198bfa063d54ff638d844588e31039c27be226a91deade5c0b2bf48

Formbook

9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09

Formbook

a2ed07bb61747f46086f07900e698d552f1a36ac21bbeee313894743aeb1276a

Formbook

b81b5d7a927299cc54748988d70523c615e82e21482652510a1a95db89b3521d

Formbook

bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02

Formbook

c918d1ae4c1635db9333c72fa06a6b04afa4a2ab37f494cd24c5e3fbc6963ead

Formbook

+ 2'938 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ks01 rat spyware stealer trojan

Link:

https://tria.ge/reports/230522-wyr1wscf6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

335a8639aa88b194512bbd5dd4739d60304a0841d4f3490f7583fd9edb6707c1

MD5 hash:

9674e3b4cffbfd378cb384d02b7939e9

SHA1 hash:

ac75de7840ea193007bad71ada6a4f2c2a06979b

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

Parent samples :

bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02
b81b5d7a927299cc54748988d70523c615e82e21482652510a1a95db89b3521d
9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09
89dc8c98551c4f2b309fd2807b8bf1d24e1c2abd953930f95b5aa1987e0966f2
4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742
2c4d743879afbbe0b4baa18e99e515a8b0586caf23308026e233c2031e69237c
16bd868c6c2200864825de71892e8802f0f7f243f476dcd38e9d713bb0a5ee44
581a4f34ba7db66e569d2d9135f8e73e089ed3bc4654c2e5099baf6854166021
324dcadf47a0c3085f54a7cfc51b512562ff907c953862e792356334b8fa74d8

SH256 hash:

fc85015434131a8d387733c9dc7503897d6f072f5992a0f3ad1c9d1899e5ce98

MD5 hash:

744208a18ae77651bf5bf975c1c1e325

SHA1 hash:

be4cb494d96013d5cd2c4921c10001cd83c51a9f

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

SH256 hash:

8f3126db84a30ae85f342d689162038f28ce45c5610fe409aa9c7f50c375e5f0

MD5 hash:

8b67be4e56c289c37f6fa44656316a4e

SHA1 hash:

b677200d22ea1af55b5c126586569c8d65aa2ac2

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

SH256 hash:

4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4

MD5 hash:

e8d756b4e2de5a67446e0b1b80e1bb99

SHA1 hash:

b664448f87ac044a16706d35e5d76538ba79508a

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742

MD5 hash:

f4a17b8e7d924cb0981a717aa945117e

SHA1 hash:

10cc4273cfbe1f0876696fb0e046370b4f4f26fe

Link:

https://www.unpac.me/results/c3c94923-cc35-4e77-9c34-4633f2937bdd/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4baabf9e31ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 4baabf9e31ff1f2fec8fa4f3165d5456836c307591bf8840ec5a8074759fe742

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample