MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f
SHA3-384 hash:	91a2bacc15b8872de36659e8095aa3b51c9d1269048ea579af1dd7af4aa7814b9724d9e886131b0c63c511b2dbe85105
SHA1 hash:	04444a777f14e29ee663786862a003ba45c44b85
MD5 hash:	582dda330545263342bb8990ab010556
humanhash:	vermont-fourteen-mars-zulu
File name:	SecuriteInfo.com.Win32.PWSX-gen.18329
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'304'064 bytes
First seen:	2022-09-15 07:54:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:V5/Xy4KytEB7YJLKw4RZ4ZWmXNZgXKvu6N1FFQFMoIYjraINotxTE:rXy4d+B7Y1KwxZv8XKWG19oraAotxTE
Threatray	17'743 similar samples on MalwareBazaar
TLSH	T1EA55D0D5BA1185A2DC7A9072F9A3D0702BB6ACFDC2EEC00718D83E27B4B61755873917
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e8d4b2a2a2b2c4f0 (10 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/310186/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.18329.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Searching for the window

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6322da9cca434b62337c20ef/reports/f93a7912-f364-413c-a529-a4b928e73e6f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2b601265-3ce4-434a-9572-c65a0c133f09

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1070765

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-09-15 05:57:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 41 (24.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jrij4wtnzrwptiuydvp5nqbnbzk547tdyxztoe2cl3kbl675fmhq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3dac62c4aec24d40cde7d96891550836d8af9e16c19b995fec79237ff46c0e29

Formbook

49e5ff72a0dc3d3c2e9164ab6a8a3c59b5f82894a7aa03d424b1eb7ae720cda3

Formbook

529da60d82a08a4b719cb37705fb00ea98ee0466308ba7f54d290e6347545edb

Formbook

77b910c55fbbd7f039208e66d79081fc98114685535974d5985546aea049d502

Formbook

8b52c0ca8e1117f7be2e09a6ed854c4a7131d1f0950fcabd665999b96e254bf9

Formbook

9aa82cf1503a5319e4ad73a655ecb111748bc643815ac729d466e303532245bf

Formbook

bf77d2a22aab1da7767128bcfdc9e1b31d46619a044b932b9dfa37cdc43eb65c

Formbook

+ 17'733 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:f48y rat spyware stealer trojan

Link:

https://tria.ge/reports/220915-jr41nagagk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b9811cfa-722e-4ff4-bcb9-1d2b8b2d1624

Unpacked files

SH256 hash:

39fe1f4d8a6a1ea85403431ed454d0f0c5b196af8f0836f0c13e4800ebd4a72b

MD5 hash:

ab41e51ffefb3aeb38258da1ee5b726f

SHA1 hash:

b4189e65c59b686529b7ac582840950754501a7b

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

Parent samples :

93838af8cffda60213137f5bd1fb3dd149d2d1d58133a5911c277829f8f7f95b
77b910c55fbbd7f039208e66d79081fc98114685535974d5985546aea049d502
4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f
2de6c19efc14f316864c8245e3db27439515e4f06114e048e1868cfb45153343

SH256 hash:

4abfa032b5cebed5a4611d0c8968d1c52003935de2c083844beb466c240521c9

MD5 hash:

6786ac458edff3d3f300846e09624d29

SHA1 hash:

3c0f541cfbd674ffd9afd2bd4e90e5ce7bbaa04a

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

SH256 hash:

5e20a424acb413582dc0c85a29113451064a9eee4c1acaf4069c1aa213a1c82c

MD5 hash:

d4d120945a88704b2667eee996c79f9c

SHA1 hash:

2d6ca5f487ec6d77c01d395383bc935b386b512e

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

SH256 hash:

4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f

MD5 hash:

582dda330545263342bb8990ab010556

SHA1 hash:

04444a777f14e29ee663786862a003ba45c44b85

Link:

https://www.unpac.me/results/f4e06fef-f05d-40d4-a967-0be6b7166785/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c509e5a6dcc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/4c509e5a6dcc6cf9a2981d5fd6c02d0e55de7e63c5f33713425ed415fbfd2b0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/310186/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample