MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
SHA3-384 hash: 66b29a641d6f0dede0bc7312090a366952b0060da7e6a180d205790366f3d07956f7748ee2eebe39107ae841311693a6
SHA1 hash: 3f4430e0805c49599c1aa070ecc8e21fc3a4bc61
MD5 hash: 77b1334e106a22b57403990acbfbe258
humanhash: equal-kansas-paris-sweet
File name:Curriculum vitae.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:942'080 bytes
First seen:2024-06-12 12:48:27 UTC
Last seen:2024-06-12 13:25:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'616 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:EiUGGg+lo71DICnPIXqv3eqbHSOxZoxtksCkqv:zUGGg+lYiqvu6SOxTk8
Threatray 30 similar samples on MalwareBazaar
TLSH T19C15D0C1329DFF09C87A0A7768213D6913BB39365360E294FDEB29F62420F4452767A7
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4eca8cf6-5dca-9151-ece6-794bbd1d9279.eml
Verdict:
Malicious activity
Analysis date:
2024-06-11 20:59:41 UTC
Tags:
spam
Link:
https://app.any.run/tasks/a02222ec-2308-4371-92b0-615b9b8cc7cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4851.18691.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66699929a2bce47be7d7fea2win7simulatehigh_evasion
Tags:
Network Static Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6669994b0bf5978c0b0eaf5e/reports/c6f71ca0-9cdd-41bc-b88a-2019bcf454cf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a88efd3-47b4-4678-820a-64b3bbcce405
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455981
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455981 Sample: Curriculum vitae.exe Startdate: 12/06/2024 Architecture: WINDOWS Score: 100 31 www.lets-goo.ru 2->31 33 www.gett.hu 2->33 35 11 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 6 other signatures 2->51 10 Curriculum vitae.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\Curriculum vitae.exe.log, ASCII 10->29 dropped 63 Injects a PE file into a foreign processes 10->63 14 Curriculum vitae.exe 10->14         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 17 vIxuWMsjTaiPBzQuHyS.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 TSTheme.exe 13 17->20         started        process11 signatures12 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 Modifies the context of a thread in another process (thread injection) 20->57 59 3 other signatures 20->59 23 vIxuWMsjTaiPBzQuHyS.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.crxwdix.store 124.156.151.111, 49717, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 23->37 39 emgeecontracting.shop 69.57.162.24, 53385, 53386, 53387 FORTRESSITXUS United States 23->39 41 4 other IPs or domains 23->41 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-11 16:39:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jr7fknaryoifch3bvnubqpvplnmfpizozjgen3vmu5igtlmaelva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
Formbook
659460bd481e4c381f51fa9d78a7c0829227027ded6aa9ebaea73df0228f7686
Formbook
9b2e166e69584f44f60b0d8a73335912f90e689ecaa2061afbd637709fba4393
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
Formbook
fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331
Formbook
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240612-p2cbaaygkk/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4710dd4-14c6-4e81-af57-957f589be665
Unpacked files
SH256 hash:
c0e246e6291aefdcf8cdcbb21b2e58c8ee7d73d673036fd61fec22115c7ef997
MD5 hash:
5e6d96ec845915bf8dce30ee86403db0
SHA1 hash:
fcac493df8453d7a7be48104476c511a4ce89e46
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
Parent samples :
d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
SH256 hash:
6215c4f3fc7666f2a5757e6779864a884d7d698bb02594e4c8456f84daf6bb5e
MD5 hash:
cfe7e26312cf4ce9c4c628a290b6a55a
SHA1 hash:
71216d923775f21b2ee26913d1098fc035eb0b77
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
d67867ef93204c27c126a41fa778fcdbf89e34a3750014d8cc4a9394a1300d96
MD5 hash:
cfddc0c2c035e91ecc76782ff513e30a
SHA1 hash:
efd2f376cd2a3574240be6b03c563f42630a6ef7
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
Parent samples :
82cbe9fc57abd337a5bf0d0d478ae7fb9158987c1d7c5006b20e309c06329ae8
804aee8eba800043c912038c55c36edeb8dd761913047e99b4a5e8d8cb8ef6c4
SH256 hash:
81093094086d81ab0d5fb3d33a020edad9eb7403641e6e44809953ed16885113
MD5 hash:
6ee11d662269dd32b4de03aa667a987b
SHA1 hash:
83d5cedd2d8938851e712108c2b3db9216db8833
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
6d794b368e482264b310b0193bb5bbc5b5f54cb2013ead3519d0e91675525482
MD5 hash:
15233149eec74b2cee30c8c74a1f5b93
SHA1 hash:
31ec70c9794d99ba6e667e5cc4dea8682beb0085
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
368b7cc5250da07753ee8c7db19402735cb023829d5526d8ef45783820872e72
MD5 hash:
bf86145adb3533406a00eacc4b19f6ee
SHA1 hash:
ee9706cdd29d6a96ee41987ed5d35c71c486235f
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
0bb3dd38bdeeede14020a855838479d9a51064c804bcc3a70362e013b4ce9ee6
MD5 hash:
3f2b8c0bbf488b47dee7232f9439e43a
SHA1 hash:
e4ef60464d806e539ffc0fa561f22224468a4c34
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
5b19878fe5a2d84e717f58a96f645886b2a017d1dedee14ccdf413bc13409735
MD5 hash:
f35ac9e1d5889b888f5302beaefa4644
SHA1 hash:
b852c7b7228b134d548bf4ce8e230ed9637a5015
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
1e6853782ba49f95f4c5f4af7f18d60aba549f12d65d1e21bb76a5e2a97f99c6
MD5 hash:
35901b082956c409bf04e28cc5eda900
SHA1 hash:
9e33155343b59c3943bdb1b04bee6577f481bad0
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
e4e76a0a5e7e33e6c1d134d80ff7ab7351a4c7046c819f90f51c465114488ee8
MD5 hash:
9b8fefbcad14a549ba18141a9000b050
SHA1 hash:
343797ca0b8e1e013755c2c0030e9b522852a06f
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
a59cbe64d6a8b5f9c99812e4b3740689f908c2f910a93938ea2c85c0449d9b35
MD5 hash:
a4fa9a1d63fa16ba14367154ee3479df
SHA1 hash:
16740fbda019ea8f671188a40e687d4cd9eba52d
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
SH256 hash:
4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
MD5 hash:
77b1334e106a22b57403990acbfbe258
SHA1 hash:
3f4430e0805c49599c1aa070ecc8e21fc3a4bc61
Link:
https://www.unpac.me/results/c44c2865-cc27-4021-a487-d61ed8117b97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments