MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
SHA3-384 hash: 48a1ee88b273534c879f91b55a69b0daf707000f6f6be787a6df6eea224f46a88d976994279603a18e3f8c04a7e1834a
SHA1 hash: 8ed65338fe577207d0c655a1d819bba12859bde0
MD5 hash: 973a0f17d8d87e9cc13e3f326a81a131
humanhash: fish-ink-burger-lake
File name:packing list -Invoic BL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:881'664 bytes
First seen:2023-05-15 10:49:02 UTC
Last seen:2023-05-16 09:53:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rbysS3nxU8r6chUCGOEodiRf3bbxtkOS34UuHee60P:r4y8rBVGOEI6fbkO4Ic0P
Threatray 2'824 similar samples on MalwareBazaar
TLSH T176158B1072B54A16C7394FB080080E090F657E697C7FE5BCAD9EF185E6BBB4209A6DD3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f0f8f4f4f8f071 (11 x Formbook, 7 x AgentTesla, 6 x Loki)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
254
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
parckingList -Invoic00 BLpdf00.r00
Verdict:
Malicious activity
Analysis date:
2023-05-15 09:42:40 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/98bd3b84-9cbd-45ef-be36-34a1f85f0188

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390043/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.29757.18085.21735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64620e29edcf46739b7d334e/reports/6ae37228-19a7-4515-87d4-fb287e321774/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/99c6895f-43ac-4344-b13a-928f695ffa6c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1233598
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 01:44:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwotk4njnffvstrl4c2xrsjkzyuiwfcgvjiuwxiga3zibf4d432q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
030026bf6983702ec4865754d69d48af120bf0dea165ef7ef22428422412fff4
Formbook
09c909d826f67375085a88c5a85bd863d6df12765f7584ed2d439af77afc4c21
Formbook
3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00
Formbook
4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12
Formbook
6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a
Formbook
6f6b3a191b4aad04649e0a6da4c6d2d73f037813cbeb84f4635c1a0d06ea2252
Formbook
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
Formbook
8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3
Formbook
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
Formbook
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
Formbook
+ 2'814 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230515-mwnq1sfh33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
9c0332033cc4aff58a7e965c7aa1898fedea5208f18ce79f2288290f5565c4bc
MD5 hash:
78bcb4f17e7012f839564dc1d7930cf9
SHA1 hash:
c4d4e3f45917faa856e69ed4f45e3c4bb17afadf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
Parent samples :
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
73d1e3aef89f5422a3ef99c1b182cb87a9aac77654ec40d849b8f4f675ada622
b8a70013e02074ef65e40f9ceb419540d39121ec06a2eb01805f24e80f079627
4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
SH256 hash:
958d1dc1b7321d5e6eff78652e8613e59bc6621bc98a2a6cb8f74eeedfaee9bf
MD5 hash:
b00cd696de344241cc4a2c4bab86b638
SHA1 hash:
d113054d741087f62d31a8c1097ec56872d24b74
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
e2f51e9e2e8d3c2e077877023d7f803a1ba15b555376e6a5db04faa157ddbcfd
MD5 hash:
c3acbab5f93406d618420eb6a52f5f26
SHA1 hash:
9669ef093c3ef50a0982b535c990b2931c552ac6
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
SH256 hash:
26f9bbb581c77d5b88a2a372a5ac02d0ea8106ca0e8823cb3d9e76f61fd1b8f8
MD5 hash:
403c14085d61ec805ccba1984900be37
SHA1 hash:
876fd6845579812abc37bb80425f276c57268581
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
SH256 hash:
6cd3220cefe1734412081fe11b2c3678511cd04ca0926abdc41a6d3664f9888d
MD5 hash:
a85fc4113d9e6bd0c9fdcc05c05e0a88
SHA1 hash:
589711cdf3b9554e63e3a7437994e666a9f5bf16
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
SH256 hash:
4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5
MD5 hash:
973a0f17d8d87e9cc13e3f326a81a131
SHA1 hash:
8ed65338fe577207d0c655a1d819bba12859bde0
Link:
https://www.unpac.me/results/7bc8cd19-17d5-4769-9733-b7c767a887c5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d9d3571a969/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4d9d3571a9694b594e2be0b578c92ace288b1446aa514b5d0606f2809783e6f5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390043/

Comments