MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe
SHA3-384 hash: fb6958f7603c253f643818b7e6834fe0f1f2c235cc0d8e8524597f85b338bf34a99ff69b2915100d815d1a81fdfeeaa3
SHA1 hash: 7e6c7ac5c811b09449e1c52cd827f52ef84eb01c
MD5 hash: 8ae55af91838c5f58cc15244c75ee517
humanhash: virginia-texas-shade-xray
File name:TT COPY (39.750,00 USD).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:926'208 bytes
First seen:2021-04-22 06:28:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:DqZEZAZozRRRRRdgXB5DGY2YRQuNgMzaNBCo/bGfKyOvhqeawqWK5/:lRRRRRC/qY2+NN7o/kKya5awqpZ
Threatray 4'794 similar samples on MalwareBazaar
TLSH 29158E81B299CCBBD41721F0D897F5F42191AD48EA22912F35AFBE1E75F33521097E0A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT COPY (39.750,00 USD).exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 06:44:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee7adf64-1f71-47f4-bcfd-ee002eb0d0a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/143553/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692361
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 395120 Sample: TT COPY (39.750,00 USD).exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 37 www.oxfordfinancialadvising.com 2->37 39 www.changfangxinxi.com 2->39 41 f45.domains.fmgsuite.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 11 TT COPY (39.750,00 USD).exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\tmp442E.tmp, XML 11->33 dropped 35 C:\Users\user\AppData\...\SLPveWSSdwLtRv.exe, PE32 11->35 dropped 67 Injects a PE file into a foreign processes 11->67 15 TT COPY (39.750,00 USD).exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.xmrxapp.com 103.120.83.153, 49724, 80 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 20->43 45 www.valleywomanforwoman.com 173.239.5.6, 49727, 80 WEBAIR-INTERNETUS United States 20->45 47 14 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Performs DNS queries to domains with low reputation 20->59 26 explorer.exe 20->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 07:22:20 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpwzx4c7xy46lrshbb5omockxjvo54pxznzq34y5q6savpkly77a._file
Verdict:
malicious
Similar samples:
01476f904e668758ea516e84f359d6d0a4d85dadc179a51788a214ea46ff9dec
Formbook
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
Formbook
34066150ffa7efa505b8d2246925cd8a32f83b9609438ae76aa27cef7388054d
Formbook
4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429
Formbook
4df95b25eba61af4dafea962aece44721deaebbb49cd3636fe3d20f169009d99
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Formbook
d8de6668573d3ceb90b6794ad11ce332f7d7ece1d4cc1c40b2279ebcdc71b5dd
Formbook
+ 4'784 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210422-c5tkpbawc2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.evrbrite.com/o86d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/143553/

Comments