MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d
SHA3-384 hash:	271a4662d226346bd601abe84ff9343e55df39eff80805fcf83615af81315655b19d0da271d7ef1c3fcaf8e7a75642fb
SHA1 hash:	5eaeb77a0e804c062a314cb8c70abaa5d16feba3
MD5 hash:	227eec77c6eda60a64c4e5b51d5e51f6
humanhash:	apart-finch-table-floor
File name:	Purchase Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	891'904 bytes
First seen:	2023-06-15 17:58:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:BgG1tCueii9iiBjUQE5JzXehReI5Pgbng:BgqtCDiNiBAHiReSPgk
Threatray	1'622 similar samples on MalwareBazaar
TLSH	T17B1512162915492BC66E37B94F12237077FF8B867D05E2CB1D8FB4C9E856F881E20693
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0661697171716906 (9 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

338

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

Malicious activity

Analysis date:

2023-06-15 17:58:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7f02ff93-8f65-457c-adfa-f2d10f45b2d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399284/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67495149.20791.268.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

Forced shutdown of a system process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/648b5168e8a7749a2a22338f/reports/01c67c55-05ee-480d-9347-12d0d7fbbf7b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1078aa68-cff7-45e6-8323-7046966e5547

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-13 04:31:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2gr342e6uajvm26xnp62wletthd4cu3p4t7gevhzscu5n2lrcoq._file

Verdict:

malicious

Label(s):

formbook

Formbook

03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13

Formbook

19b7214fa574ae296ae0494841dbd55d213c422c8872867e1be8969bb6d0e812

Formbook

2df55ec2cbfe5ba2ddfd9a597a1c2dcfe3c91f211ba611180c97443773f79732

Formbook

34a8585e0643993caaaa6c3fcd9933354087422062d3c887dada1d65b570bfb3

Formbook

70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1

Formbook

a022bc0ad88cce0b7ef8c68c7602003ff4150006503291b7ead2119ebdecb36d

Formbook

af7efb93740b9b9ee4cd6580a3eefa8298558c9f06b463eb44b03394cde441d5

Formbook

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d

Formbook

f25beb74b5cbaeaf3ed9497d7c29d276fdf449f7c634dda71b72f2d9b5483f37

Formbook

+ 1'612 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230615-wkqkxaae91/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

70382ea1b363da419e2b0e806739138db40b4ec2ea276de2f1aefbd46ee66ac9

MD5 hash:

c260a705d14d1209ee29f226099010a1

SHA1 hash:

f7a97ae4da5562d1064bc7c94d7b68e184361bcf

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

Parent samples :

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d
70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1
76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97
22515e24bf09d7d7b9ed02436f05853d5174aac248eb79c2b32a82096c8b30a3
2df55ec2cbfe5ba2ddfd9a597a1c2dcfe3c91f211ba611180c97443773f79732
34a8585e0643993caaaa6c3fcd9933354087422062d3c887dada1d65b570bfb3
a022bc0ad88cce0b7ef8c68c7602003ff4150006503291b7ead2119ebdecb36d
03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13
395133081793df5c1542b9e77a64a5271d1b358c1a7db674108a7624a9104809
af7efb93740b9b9ee4cd6580a3eefa8298558c9f06b463eb44b03394cde441d5
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d
02dc237cae6224ab8277187f6574215e15b4ddd4bf5b2bddbedaa95fc077e4e2
14bd08ddfd5f3fbeffbe9adacf4662f83267492eb8a2ca70a5c7613050039dc9
3c4e179c3ad40c3916a358a7115d8b4ad6d957cb57cecbba7c979057e5370748
16ef953132f6f51c904ccd3e04c933c20110c1dcbab443059df7218392291d5f
2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed
0978bd6c3a575dd054cd139eaecc851695800c859e61ed340b47c9d5bf0d0d38
ce9a0c42305d137c27b4f369996a15387ae6f0d1e391116f54e7733918083239

SH256 hash:

69ae0d2e1c3e2bbbe5183e41b3ac08a711b71c2740e59fab69abc6b463b249ae

MD5 hash:

4fc5c70a26e153516338b2bd4a6df5fb

SHA1 hash:

6d7e91edb55a50e3aeacf06752101ae672badc50

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

SH256 hash:

c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d

MD5 hash:

9390df6c9a6111978dee5414bc42eda6

SHA1 hash:

d3cb1c366b9e466afa93eb369838a04d30777795

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

SH256 hash:

13e9be0aba1cef3943954d2a204472356721075f8ecbfe565a476aec8346fdc6

MD5 hash:

4ce78b41df3f0bb4dff20793bcc9f78d

SHA1 hash:

4de22b09a356224b9916836ba2ee181d369d5f4f

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

SH256 hash:

38e538eab23592fcd1ddf53f11f4607c899a4313619a5916c9da9bdc9942f560

MD5 hash:

8723b23241c0dfbefae8206c81d4295d

SHA1 hash:

4c9c43dfa28e4da41cc2bb25ec7c08b4ca09e818

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

SH256 hash:

dad01149c730fba830d4cb8d2982d4ba6afe87b79e8834eceeb9aa70ee3a4738

MD5 hash:

d12cb733861a64408ba05f3ce9532e26

SHA1 hash:

47ef7e8819fa45267f8543bf8339430fb23803e6

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

SH256 hash:

4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d

MD5 hash:

227eec77c6eda60a64c4e5b51d5e51f6

SHA1 hash:

5eaeb77a0e804c062a314cb8c70abaa5d16feba3

Link:

https://www.unpac.me/results/a970bb10-6bdb-405c-a1dc-fcc3fdfa870a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e8d1df344f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d

(this sample)

Dropped by

Formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/399284/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample