MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6
SHA3-384 hash:	5e35f6db00b9d72085057d85d97e7c4cbdc6b495015ab895ea2fc9c5664c2bf10e1c4731dab2f6444aa5298c288dbfde
SHA1 hash:	4d7e4c21ae638f7e44081ec11fd65d56dd370812
MD5 hash:	dc244fcc2c14e1ff3aa8975b5f3f69b1
humanhash:	papa-nine-happy-saturn
File name:	Unit official request for rate offer.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	720'896 bytes
First seen:	2023-07-18 11:35:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:9PKGQIut7DTWmjiKnk6LG/LY1geryJr6ZVz1mEOFX2gI2B/s:oz7XrznkGGT1e8MG1f/
Threatray	3'247 similar samples on MalwareBazaar
TLSH	T118E46B0B3DD0295BE42E426E007C6A6CEAED961E427FE964342DC3A3B2F654C194D74F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Unit official request for rate offer.exe

Verdict:

Malicious activity

Analysis date:

2023-07-18 11:39:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f0c637bd-ef4f-4c7b-b29c-96b614ee4bb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/423321/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19358.13042.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook lolbin packed replace

Link:

https://www.filescan.io/uploads/64b678ea46e64860de1038ae/reports/1b546b6a-bfe9-4b9f-b593-060f4027a039/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/dbfae414-5f3c-47d5-a187-501d7434d626

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1275043

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-16 07:46:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jqbqni54s7qyxkhndofd3y6simcddkxcznuc3kqxh7ht5pogst3a._file

Verdict:

malicious

Label(s):

formbook

Formbook

12d7296fa8ee95861d67877223842af8b28608bc8ea32cdff1c269701da3727e

Formbook

14ac214aee66557d77577da7211f5fa6476753b38ff8b40738c660a88c8ffd35

Formbook

1d8ffbf2a386718acac9f307a0b0315be1831b7a3407aeed7cd4b510db02a72c

Formbook

2b4b15b5d5d397385ff0c94694b64f604a284fabcf60b227356ece67a5b64ee7

Formbook

2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53

Formbook

3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11

Formbook

7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484

Formbook

ea70b9979a341160863f08becfdeb80c64450b37521dbbd6341cd4b88248a65d

Formbook

ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e

Formbook

+ 3'237 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230718-np1yfaae5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

27de1ba0ca30a5aec97b4c1c67b00b5d424ecc02e612a82a0ab7efe0c7cf230f

MD5 hash:

4d7933473269c946410f1bcc863f6fb0

SHA1 hash:

b4284f753eb4cc764c8c878e725aaab6fb3f59bc

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/63d6fd25-007a-483c-acc9-7ca98bf8bbce/

Parent samples :

4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6
4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc

SH256 hash:

00dc3a719e25b75930baf2d69e109229a752562b84e2e73db7823f373a0deb51

MD5 hash:

a9df754c8f8ea27fe333e0eb5aafcb05

SHA1 hash:

270fa47e4ccc1f430c2addb8f66cf6e1b65d7442

Link:

https://www.unpac.me/results/63d6fd25-007a-483c-acc9-7ca98bf8bbce/

SH256 hash:

a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209

MD5 hash:

e7709a907be0cdb6ff7eb99daee97c6c

SHA1 hash:

bb3f6871c40f54070b53947bf6958d410ea8bac1

Link:

https://www.unpac.me/results/63d6fd25-007a-483c-acc9-7ca98bf8bbce/

SH256 hash:

e1bce555584494aa374e12a3774a59fceed16f618cab304f174cb6ed1a5e25d2

MD5 hash:

4e0e40dbf2179d43075a4deab18445f6

SHA1 hash:

279a7d28495821de42b82b24c45cbf918b9f76ab

Link:

https://www.unpac.me/results/63d6fd25-007a-483c-acc9-7ca98bf8bbce/

SH256 hash:

4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6

MD5 hash:

dc244fcc2c14e1ff3aa8975b5f3f69b1

SHA1 hash:

4d7e4c21ae638f7e44081ec11fd65d56dd370812

Link:

https://www.unpac.me/results/63d6fd25-007a-483c-acc9-7ca98bf8bbce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/423321/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample