MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4
SHA3-384 hash: abf66a9aa03f836ddeed6e5ecba9b2100a0ac1dbdce83242df32d1d7e412988f61422259c213b614033dc05975ab01e6
SHA1 hash: a943f46157dd27c7368dab940b5b76329c2c164f
MD5 hash: 1afe1de6244234dfedb2482067c9de55
humanhash: hot-arizona-beryllium-fruit
File name:SecuriteInfo.com.Trojan.Inject4.8601.27606.21156
Download: download sample
Signature Formbook
Create hunting rule
File size:573'440 bytes
First seen:2021-03-11 17:41:55 UTC
Last seen:2021-03-11 18:39:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:ePhZi9702dXV9la43mCdZbmh/ANFWbr2pNdYPCOz5Mp2ps:MhZQZc4W6ih4NFW3mNqKOlMI
Threatray 3'403 similar samples on MalwareBazaar
TLSH 85C402282EB89B49D3557FFA0AB3D12C67BD9681D815D348CF612DCC1B29F8819C1AD3
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Inject4.8601.27606.21156
Verdict:
Malicious activity
Analysis date:
2021-03-11 17:42:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58af3041-ca57-4a89-9e6b-69e29be14222

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123858/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.8601.27606.21156.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/637181
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 17:29:21 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
Formbook
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
Formbook
11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd
Formbook
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
Formbook
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Formbook
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Formbook
6aca638f8c9405c4c02bb3f2b5f5e5bc9d5596f8c68a57fb99347031415b584b
Formbook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
Formbook
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Formbook
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
Formbook
+ 3'393 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210311-s1ettlfxk6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.farmingtonhillsmagazine.com/lhc/
Unpacked files
SH256 hash:
29a9cf3d5ff461c77234054b494b113f9565c96b50eb3defcf81ef50b0e4e5f1
MD5 hash:
a351714d0de243ee13cc032c24c6a793
SHA1 hash:
764a61b3c8f7f5445b11bcddb94cd1a9f570abcb
Link:
https://www.unpac.me/results/3a2cad0f-a863-4ec4-a7d0-93b76c0813bb/
SH256 hash:
1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc
MD5 hash:
8f85df46a482b5b068ae7667bf1a33d6
SHA1 hash:
a210d369311aa4d709dc962c634174738576907e
Link:
https://www.unpac.me/results/3a2cad0f-a863-4ec4-a7d0-93b76c0813bb/
SH256 hash:
285b877997ff5cdf8bf338f9c3c90930c574d5d39f9f10f1b832c844a7b5a124
MD5 hash:
da02c3ae2d654f9b032259fbfccb09d3
SHA1 hash:
c5b09816899b24999f0604466433b7ff011f3d0d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3a2cad0f-a863-4ec4-a7d0-93b76c0813bb/
SH256 hash:
4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4
MD5 hash:
1afe1de6244234dfedb2482067c9de55
SHA1 hash:
a943f46157dd27c7368dab940b5b76329c2c164f
Link:
https://www.unpac.me/results/3a2cad0f-a863-4ec4-a7d0-93b76c0813bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1061630/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123858/

Comments