MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
SHA3-384 hash: 4130f34d1688ba56d115a4ac094c684b1c66fc5ef76a571b324c162bf4fc0dad2e4df751b4d1cdb23c778d488454d2dd
SHA1 hash: 57b12bf0338f22d7603ff18c85c35725fc9b4f63
MD5 hash: ee5b1cf5c117fc86fe1bccfec9a8cc46
humanhash: nebraska-stairway-south-alanine
File name:Doc-633-17-07-23.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'336 bytes
First seen:2023-07-18 11:49:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GgERGQIut7DfWmRXtrGKXRtjxkxwm32cHO15UV7fmYiK13fJJ1:hERz7TrRXt7Xvjx4wmmuO14hiKBh
Threatray 3'269 similar samples on MalwareBazaar
TLSH T190E46D1B39D02A57E42E026E047C6A6CEBEDE61D427FD928342DC293B2F664C0D5D74B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423338/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12149.9090.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/64b67c6af3c193545ac66b54/reports/7169dd04-d57e-4809-b826-88a629e6363f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5f94dcb8-7dcf-481d-81a0-9b7d4ae4b265
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1275058
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 11:22:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtmnm35q6zb36vqhalnhhghnlqt4culmufnxzesc7fmdufrajgsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b
Formbook
2beabdd285adf915fc07418c5f9e57cc4430f766b838e1726570c21af4868f18
Formbook
38c1c1705e3b01c99f4767d19065cbd50ccae650ef3f4ee03c8327a1a33db868
Formbook
39fb90c640f2ee4c2b84536a9b6b5fa48a5f687840db28144acc6eaa2075ffb5
Formbook
4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6
Formbook
6948e70cac42443ee400a93e1aa7dbcc742e36eeed2e7caf2ee5ff3e19bd9ef3
Formbook
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
Formbook
86d4e06d459d993e94c995dc65bf75afbc4f91386ad7b10a1446bbb994c81d64
Formbook
97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc
Formbook
dcc1c76391ceaadb1c6db678ad4811153fa107318b505d642c729abd7fe8cf1e
Formbook
+ 3'259 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-nzkn7sae9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
27de1ba0ca30a5aec97b4c1c67b00b5d424ecc02e612a82a0ab7efe0c7cf230f
MD5 hash:
4d7933473269c946410f1bcc863f6fb0
SHA1 hash:
b4284f753eb4cc764c8c878e725aaab6fb3f59bc
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0feabd5b-3e0d-4190-8b56-dd41e141231c/
Parent samples :
4c0306a3bc97e18ba8ed1b8a3de3d2430431aae2cb682daa173fcf3ebdc694f6
4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
6170ca69b5a91bef9aa4313b172e1e1cad9a1fe2e4f049052315fba5f9fc29cc
SH256 hash:
00dc3a719e25b75930baf2d69e109229a752562b84e2e73db7823f373a0deb51
MD5 hash:
a9df754c8f8ea27fe333e0eb5aafcb05
SHA1 hash:
270fa47e4ccc1f430c2addb8f66cf6e1b65d7442
Link:
https://www.unpac.me/results/0feabd5b-3e0d-4190-8b56-dd41e141231c/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/0feabd5b-3e0d-4190-8b56-dd41e141231c/
SH256 hash:
4013c4f6d9aaf9ed07e63af6a249685631109f402665738b8203f2cb4ddc1740
MD5 hash:
5cf1f006461fe736af4aa65c55e1b090
SHA1 hash:
b9c46486c182f77e306cd8c2cc15be37e819bac4
Link:
https://www.unpac.me/results/0feabd5b-3e0d-4190-8b56-dd41e141231c/
SH256 hash:
4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4
MD5 hash:
ee5b1cf5c117fc86fe1bccfec9a8cc46
SHA1 hash:
57b12bf0338f22d7603ff18c85c35725fc9b4f63
Link:
https://www.unpac.me/results/0feabd5b-3e0d-4190-8b56-dd41e141231c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cd8d66fb0f643bf560702da7398ed5c27c1516ca15b7c9242f9583a162049a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/423338/

Comments