MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49
SHA3-384 hash:	2266f674dfa86fcc10914f0da94c8ad490be8921ac18c7e8a4b6d1efc562c4ff853dcaaf6b89ab6e89e658f4c4a18cff
SHA1 hash:	af2d21284c38f2772e4a6cee4010f8223c353133
MD5 hash:	fb8f5907dea7f91643212ede079ebc4e
humanhash:	sixteen-july-angel-rugby
File name:	SKJjH877.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	446'464 bytes
First seen:	2023-07-18 06:38:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	12288:Th1Lk70Tnvjcbw/Z3ZeYjV0Guf8d+zkUAJ:Pk70Trcb8Fx03mJ
Threatray	3'266 similar samples on MalwareBazaar
TLSH	T19394F1213081C0F7C876057445EAC7794A3934764B7691EBB6EC2BBA5F213E1A73A1CE
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SKJjH877.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-18 06:43:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3f668327-db9b-4e7e-b819-bcca2e208f6a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/423262/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin packed

Link:

https://www.filescan.io/uploads/64b6338a46e64860de1020ac/reports/c3241306-e272-46de-b851-b635c431cf08/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ffb4f9f7-a574-4c1e-9d0c-37518bb33c20

Result

Threat name:

RedLine, zgRAT

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1274898

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2023-07-17 09:55:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 38 (81.58%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jr3fpk2iv4bov3u2z3jymfantps3nj372gxkivld2saoykf5xjeq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53

Formbook

4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875

Formbook

4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

Formbook

6510c3886e8ddeb0b7b164f915cdb5af33622d9f662b4ef814679e75657daff1

Formbook

67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496

Formbook

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

Formbook

c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76

Formbook

c5b99e7807cf9f4add86f8521664eb8416fd87532cc8378076826ccdd74adcc3

Formbook

c76519bac4cff0206fbdd13fd4f016b7d7fe3607fd0c4b25dde7155765a9b2ae

Formbook

+ 3'256 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230718-henmgahe4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

021c8353e90a2a421100bbb1d405f9bb5b979cfd38a8d4dbd8395516ea1725af

MD5 hash:

ba3428a2af0e9ba599012e9e6186c728

SHA1 hash:

ce153ea44daaa7be1775d496c7103f689bc9811c

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

945a627159d5c8c7d51ae8d782f5a579133db8f8ed6915db07822ec832ec8d75

MD5 hash:

940b9dca4c71595f529f881ba3e90eff

SHA1 hash:

79157dbc528381a477f54adf5072706b3a361277

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

9f2155d2fb44240b8b1de551f4dde530cbe277afc8cf2598c1407b2173b7764c

MD5 hash:

af3714a09872414507c3a9b91a6d1e10

SHA1 hash:

f96a92e20b93841ad0250d6ee6b89e194cf64e5f

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

f500f9be70d74c289e72e3ec8ae4dc52e3ba338dfc94b0dcfe39feecb8e1f6b9

MD5 hash:

a18cd734d6ae4f4229471eb96145c8e9

SHA1 hash:

d324369c66979672d0b263ba595fadda74e38a95

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

faaae4322148f518df079221a284affc0c048913750d76baa6371d3631101360

MD5 hash:

757de7f9faa8f3a5d85c25b86eacb64f

SHA1 hash:

77bbd7c6082b5e9ae83017f56551c42dd62666d2

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

a31380d4679ca5465d1d839aca9916167e2fed917e512cdfc63170de8a1da87b

MD5 hash:

2429d86d4905b083c30d4b0914a60de6

SHA1 hash:

36b454c42552c96717233f12bf749183b0ff710b

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

SH256 hash:

4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

MD5 hash:

fb8f5907dea7f91643212ede079ebc4e

SHA1 hash:

af2d21284c38f2772e4a6cee4010f8223c353133

Link:

https://www.unpac.me/results/679f3813-5b72-4d25-b57a-698da835888c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c7657ab48af/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r01 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90

Formbook

exe 4c7657ab48af02eaee9aced386140d9be5b6a77fd1aea45563d480ec28bdba49

(this sample)

Delivery method

Other

Dropped by

SHA256 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90

Cape

https://www.capesandbox.com/analysis/423262/

Dropped by

MD5 66730821c6262469431461d7ab1ad47e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample