MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0
SHA3-384 hash:	de5f457770516d73b9ad0ea13baedf7eb9e3182badd4c42aeb5bc58e3f87fc7098b3806297772ecf35d79bdc5ccf45f2
SHA1 hash:	c055bb5046a718c9838a4c453e1e36d1c3941db2
MD5 hash:	1ac8fb5ee2cea350e46ecc78bf7d1c46
humanhash:	stream-aspen-steak-batman
File name:	PI 10_09_2024.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'566'720 bytes
First seen:	2024-09-10 13:32:52 UTC
Last seen:	2024-09-12 09:15:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep	24576:84lavt0LkLL9IMixoEgeaLthteKjX06Pzh71lKEzkAg5q9MmCS:Lkwkn9IMHeajAKDfPz5PSFaPCS
TLSH	T1C575DF122BEDC296C3724533B9A1F725AE7F6D241CA5F1472F9528BCFE307606609263
TrID	63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10523/12/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	0cacc0c4b0944c10 (53 x Formbook, 1 x AgentTesla)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PI 10_09_2024.exe

Verdict:

No threats detected

Analysis date:

2024-09-10 13:36:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d68f7981-68a3-4185-a047-54827040918e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Rogue.0hr.20240910-1233.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66e04a9076bc4542b04957fd

Tags:

Inject

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit fingerprint keylogger lolbin microsoft_visual_cc shell32

Link:

https://www.filescan.io/uploads/66e04a8f76489fce727e1cd4/reports/ce8674b0-2c4c-42d3-a21a-2479146cf6ac/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dcee8bbd-90fc-439d-a5e6-8c67119f3f1e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1508675

Signature

AI detected suspicious sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-09-10 02:56:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 22 (77.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jywhrjv66lfo6u3m6agem6suu4ebvxebddtxiecd4jb4b22iipia._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240910-qthnrsxemd/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f2f0a96a-e02d-4a67-acde-e6b11c54a972

Unpacked files

SH256 hash:

bd37ce88195fc1c46c6286a6179d299dc8fc053387b2838aac97293a16f87d55

MD5 hash:

494903e84221d7bf502833b5f2768a3e

SHA1 hash:

8489f8e9b1864007d065c817138f688604e3f5c5

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/37fcbcb5-e3ce-4158-909a-82f71cb07f3f/

Parent samples :

cb285143cd75f82e067dd05a22f5ecf2919d00aaf5cd402cb82b3acdc7c34572
33c35a40c1a1a5e6367c54c260ce98a319656620b699c2415c37b0ac0c96308d
1195e23ce52a59091283a3a60ed2ac705335c0d7553aa95be4be357e2b3561d4
80afadda3249db06685138649318a9497042e51bc9c45c9738d3954820a7d7cc
a67db17216640f8933f8f10b3fdf993e79b5ba3dbdfc37245d45c815aa408d84
ddbfbc45ef066cddbcf28645c981047d86850832f1b404384d7503935f5371b1
32f54aec617924a0c4aef987083214424660a28a38eda00c481b1bfa1e9b0e04
c77db67f84b81fdeac20939661e9725c5ce94d99073132be2bb6ecf58e3a02ea
42758436a8d96f2920b1488154897758fd30cb1240e86715642c4ac7954bdf92
3871986b7e27268307c2bddedcdf49608beabc7bd52b99c33005d3ddb5860a25
a6e7bc88ba8f280ff9de60e1454d5c086bb352dc6d151ea2a23b48b077e756f8
4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0
76fe69849ddbda008d54ff757bf77599f77c33245dd8f28d3b1c53e3940980f4
6e66e6f4874039caa5e41d1da7b90159c8ada4373c2fd27eb080c3f6d9db5d81
1e9749562a2a6f8c1369071ba34ed60bb57d42fb3493f841015694dcea7ccaf4
6324e104465abaa65dfeb1aa5796b4530e6ebdf8a9ad12b5bf9b44f38d02a1db
3d0f325a9cdb285dcaef0c137211ae8d3cc2d4978c25ecc39efd38677656787c
310bb3e5a5b7ad390b0b624ab14486f7724ee2b49f10b5dc250f3907bf84486a
4cc21e10bb6b9d996f05937c70cba3ef5c72fe916c4f8969c01d1e2c9c7fb07d
7b0f3cb252c7a9ee5923d57f0e50c052bd54d10755cc7df40b9a9110c0437de5

SH256 hash:

f073c47484a5c2fb77f4198de069b4ee8c73dafd102d7a5c2d37da819412c7e4

MD5 hash:

ca239f3c3f0b3660e18b1f247fefdcdc

SHA1 hash:

9d591c126746b726f8c2486cfbc6aa8dae3f5031

Link:

https://www.unpac.me/results/37fcbcb5-e3ce-4158-909a-82f71cb07f3f/

SH256 hash:

4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0

MD5 hash:

1ac8fb5ee2cea350e46ecc78bf7d1c46

SHA1 hash:

c055bb5046a718c9838a4c453e1e36d1c3941db2

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/37fcbcb5-e3ce-4158-909a-82f71cb07f3f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e2c78a6bef2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 4e2c78a6bef2caef536cf00c467a54a7081adc8118e7741043e243c0eb4843d0

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample