MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
SHA3-384 hash: 059e7d7ef3eb595c0ef3b319cdac0fc2f80b8f1cca8fc920444a59f453448f5e312351746759d2ac1ea6769351913e10
SHA1 hash: 1202cfd1bd7204e2e03c5fcd2d18b7c4cc08b4af
MD5 hash: 4fdc3c58bd266a07b0a35c009fc8f4f6
humanhash: social-victor-idaho-speaker
File name:New Order_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:384'065 bytes
First seen:2023-04-19 09:01:34 UTC
Last seen:2023-04-19 11:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6804PDLwV6qmIY6LCHvMHbykxzAbxAKuWPwj+sVX4rOsfuW3epa3o9vNPCo:/Ya0ED3vYbykJAbxXPwj+nrOsfVwWo71
Threatray 2'664 similar samples on MalwareBazaar
TLSH T1A784220463D2C096E3331AB2A537A72F6EF52A152A20A7071754DEAD7FB39D0A74C743
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-19 09:02:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8ede9bb-4961-4f67-84ae-45919f8245d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383248/
Detection(s):
SecuriteInfo.com.FileRepMalware.326.21480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80367/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/643fae0ec1735fe5e756870f/reports/4fe3c655-6a53-402e-9aaf-fce5d6d7ab8b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6caea1c-f0b0-45b9-b82b-e6258445dba4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1216685
Signature
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 07:27:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzg3c4h3vgvpn6xv4qa2la7w26arenxw35yow5xdztdmie44h5ga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06fbb80f37ae3534d8d87fe5444da0a09f10e45b8f2882c9e9fe89e879d380c7
Formbook
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
Formbook
41ceb21d5f34451ddc166d2891c03c3af37ac0f2a055f5e274948b14c0f5a187
Formbook
564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
Formbook
5b5f4c31207ebd9feb2cc1c2917f09bb82a820c5af6b2558bce95152bf41d26d
Formbook
8d108254a8f52c795d01e4fa87ac70437873d1073e38c179716e5fa40816b82f
Formbook
b3fe3de729e3bacd16f951173d7e42ec7fae5bf90909cece61e782282fd96ced
Formbook
b5b596f70279f40da033a19eb80841b5486fb16d9d44c2778cc158910adde7a1
Formbook
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
Formbook
e2f96798a7d58ac8a06c39d4459336c8fddafec67fe12cda3c9d4e497702601f
Formbook
+ 2'654 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230419-kzge1abd3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1ec556b9804a8195576bd569f55123e08c93406905b7fe66daadc5369d6c2dc3
MD5 hash:
62459803fbeef4fd6a4a096c937f9d70
SHA1 hash:
ec5a7eab356a72fe2da78f15922b35ae1b411ad3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d13feec-73ca-4d7c-b33d-dea6e8760f44/
Parent samples :
564bbf886f8ca5cb5674f3d073bc27faf96cd76e234eface059c53e676d8a6de
dd086f5b3e968fddaf79e87afc4f11d6e0c031e7c839e394b54b76c3f51c1f77
07e58562c48d6c226bc1dc5df78dea39e3cba578439d7ad04ed5d46975528ee5
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
81f8ce446b9d3e123d81d617d24cd593050befc695ba76636b548c066f0a9b1f
SH256 hash:
67e25baff0b3f7a1c113efcc745954458fec8a4f7a820602e79eac9d292d48c3
MD5 hash:
7534319157a5fee111d00c04db2ae29e
SHA1 hash:
5e2e6995a015088745da4a1a0cb119fadc1c9e69
Link:
https://www.unpac.me/results/1d13feec-73ca-4d7c-b33d-dea6e8760f44/
SH256 hash:
3a5fd00ac6300b357cd2c0f0851c37061eebbbd559b74dfeff5d172456cdfc3b
MD5 hash:
92a457a95f9de7897893022b9cf0d75b
SHA1 hash:
941007a5f76e6d5d00578f48e27d668373e9313d
Link:
https://www.unpac.me/results/1d13feec-73ca-4d7c-b33d-dea6e8760f44/
SH256 hash:
4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c
MD5 hash:
4fdc3c58bd266a07b0a35c009fc8f4f6
SHA1 hash:
1202cfd1bd7204e2e03c5fcd2d18b7c4cc08b4af
Link:
https://www.unpac.me/results/1d13feec-73ca-4d7c-b33d-dea6e8760f44/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e4db170fba9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4e4db170fba9aaf6faf5e401a583f6d7811236f6df70eb76e3ccc6c4139c3f4c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383248/

Comments