MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912
SHA3-384 hash: 303efb1fe667d049d1737d107ea6e51ebe16b5cf604b409d9e3d3c099b48dfabff4fde094181dd3178f135cca02475a1
SHA1 hash: 92e1fb982b688ee10f2a00af97a16865a67ed88b
MD5 hash: 75fbbd4c0d9e37dca1d1f39f37d9ef14
humanhash: blue-kitten-high-september
File name:4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912
Download: download sample
Signature Formbook
Create hunting rule
File size:9'728 bytes
First seen:2023-09-06 09:50:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:QfKniUC8ipnYWSF4wqQBGJaDZb/++c5qEczbre2xM3:QfXUCvpqCAo6/+j5jczb62x
TLSH T16B12A446E690423DE1213B3A89B2630E057ABF9559468ACE34CF74277E3E3404393FB2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8b0b0b2361392f23 (2 x Formbook, 1 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912
Verdict:
Malicious activity
Analysis date:
2023-09-06 09:49:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c613ef7e-ced1-4ccc-bcad-88c1fd6bd625

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446518/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4058.11347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control lolbin packed
Link:
https://www.filescan.io/uploads/64f84b8726412fcb9d994efc/reports/251ed0e4-3528-415b-8c8c-e0271aa2046d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34f7c785-3c0f-4d24-bd28-264395bb9fcc
Result
Threat name:
FormBook, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304197
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AllatoriJARObfuscator
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304197 Sample: FC9259zAIF.exe Startdate: 06/09/2023 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 8 other signatures 2->72 9 FC9259zAIF.exe 19 7 2->9         started        14 wechat.exe 14 6 2->14         started        16 wechat.exe 2->16         started        process3 dnsIp4 56 transfer.sh 144.76.136.153, 443, 49718, 49727 HETZNER-ASDE Germany 9->56 48 C:\Users\user\AppData\Roaming\wechat.exe, PE32 9->48 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 88 Injects a PE file into a foreign processes 9->88 18 FC9259zAIF.exe 9->18         started        21 javaw.exe 23 9->21         started        90 Antivirus detection for dropped file 14->90 92 Multi AV Scanner detection for dropped file 14->92 94 Machine Learning detection for dropped file 14->94 24 javaw.exe 14->24         started        26 wechat.exe 14->26         started        28 javaw.exe 16->28         started        30 wechat.exe 16->30         started        file5 signatures6 process7 dnsIp8 74 Maps a DLL or memory area into another process 18->74 76 Queues an APC in another process (thread injection) 18->76 32 xpGRlgALAiDNryldoQjuPnUW.exe 18->32 injected 50 140.82.112.3, 443, 49828, 49840 GITHUBUS United States 21->50 52 140.82.112.4, 443, 49801, 49806 GITHUBUS United States 21->52 54 5 other IPs or domains 21->54 35 icacls.exe 1 21->35         started        signatures9 process10 signatures11 64 Injects code into the Windows Explorer (explorer.exe) 32->64 37 explorer.exe 13 32->37         started        40 autoconv.exe 32->40         started        42 conhost.exe 35->42         started        process12 signatures13 78 Tries to steal Mail credentials (via file / registry access) 37->78 80 Tries to harvest and steal browser information (history, passwords, etc) 37->80 82 Modifies the context of a thread in another process (thread injection) 37->82 84 Maps a DLL or memory area into another process 37->84 44 explorer.exe 37->44 injected process14 dnsIp15 58 www.owcojyyde.best 45.33.30.197, 49857, 49860, 49865 LINODE-APLinodeLLCUS United States 44->58 60 leilah.org 66.235.200.146, 49830, 80 CLOUDFLARENETUS United States 44->60 62 www.leilah.org 44->62 96 System process connects to network (likely due to code injection or exploit) 44->96 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 07:43:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvq5sdlu77k35v3djgfqot6pqlfm4l25nr5p7qqjvsix7lb5beja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
strrat
Create hunting rule
Score:
  10/10
Tags:
family:strrat persistence stealer trojan
Link:
https://tria.ge/reports/230906-lvgqmsef3z/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
STRRAT
Malware Config
C2 Extraction:
jegjav.duckdns.org:2027
2.59.254.145:2028
Unpacked files
SH256 hash:
4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912
MD5 hash:
75fbbd4c0d9e37dca1d1f39f37d9ef14
SHA1 hash:
92e1fb982b688ee10f2a00af97a16865a67ed88b
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/90c0b9b7-47ac-469b-b6b9-479dcb2df98d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d61d90d74ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d61d90d74ffd5bed763498b074fcf82cace2f5d6c7affc209ac917fac3d0912

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TransferSh_URL
Create hunting rule
Author:ditekSHen
Description:Detects images embedding based64-encoded executable, and a base64 marker
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446518/

Comments