MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729
SHA3-384 hash:	50e555f063437e5a92b6c34aba5459ccb07b6f98c436e01f90aa516cc9d9eac67913d9300e10fa52506283207fea4d05
SHA1 hash:	6db3f33a35e52d52ed0e38ea91d1068ce37abc6e
MD5 hash:	00f3bb26404083ff4e56765f2affe183
humanhash:	eighteen-ten-fruit-spaghetti
File name:	发票运单明细.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'066'496 bytes
First seen:	2023-03-09 08:33:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:3a/5u62iNCH3D17/bmrs9LTRAfeCZYNqJ7i/EfJNz65ujZyjsqLhP:3a/5u61AH3pqA0feCZYsJ/R45uwo
Threatray	2'329 similar samples on MalwareBazaar
TLSH	T16B35AD5572B1DD33EC8F417B5917B2992D7D3D436251F23B6A3A3AA0DE3097BB188202
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

发票运单明细.exe

Verdict:

No threats detected

Analysis date:

2023-03-09 08:41:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/34676036-acd9-4507-b923-0cd8ec151363

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/372876/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi formbook packed

Link:

https://www.filescan.io/uploads/640999fbf1a68c396b2e10b8/reports/6f359ebb-11bb-43f9-bfe8-774a6a564a10/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a66378b-9c51-4726-b00b-81763c860366

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1190238

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2023-03-08 06:55:51 UTC

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2k4tmdgfmqpgy35j7lzelfijjuo7mammn2qa7c3xu4jktu3m4uq._file

Verdict:

malicious

Label(s):

formbook

Formbook

520332210fa79a3628b8a514f18ba872117489cb013809161629d1443d8ae800

Formbook

7a4cbe6918c174321d777bd64c6cd6d8c6a3ba69c07a43ca357a691f0ef6a480

Formbook

83665b988b1a63b2d9eb4f3e3ef565f41a2871bfa2bf11d1e6ee62c8177f657d

Formbook

8510156c681956fa592f4e2f346a7cd02ce7a00a31264dc2106e6e0b5a4b267b

Formbook

9c1292869bf34d5077f8f2bffd19ff671a0dcd996734c3d8af1e484cac42d80d

Formbook

afbccae6537d0602edbc99ef03ec8b89ec23df241079f949c0b8a0aa6f9aa8f0

Formbook

f7bb2d35300a95c164089832c13410023d2293390130109ae3693fd0d05a3df8

Formbook

fef348f0a51720ef524010b7225f6d338e10654e4fc13f4a6b89b07deafd35f7

Formbook

+ 2'319 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230309-kfxb4sac9y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Unpacked files

SH256 hash:

94de2d06a90fc9e4fdffa3dcd2d15bdf72f26f6307add506b6d3c5f605906c43

MD5 hash:

884b932e200588d5d92ecd1c666dd5bb

SHA1 hash:

d5e1fa13db6d26a4db595eb0fd10d59ee39f9656

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

Parent samples :

4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729
6a766e75516bc67b48fc8b521bb77c09f67a00baeaf20555e0630001d9ebdd90

SH256 hash:

200412219c7a7a676d9d2fcf312a4307ffb988b5258396e335685d4cd0c89bad

MD5 hash:

d154eb88dd6745b13ca27b4a21f50e96

SHA1 hash:

a393d83c98609872e20253d42d7d247c23acfcfd

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

SH256 hash:

6e6eb3b519ad83eed95562ee1bcd42f94da456cf6489dcfbb3b0f67dfb88787b

MD5 hash:

9dbc710762975ef864820392270dc5b9

SHA1 hash:

7cd6454c744400af85ce48f16f098ae99f24f45a

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

SH256 hash:

dd49948e0b3393a8b53084075ec2f2a8c36813d1ba1ca538697eb62ec4b4deae

MD5 hash:

538dab51e58b7dd3809664982f4d0746

SHA1 hash:

4e7f9615f1d96b087c453a72217662f867e0520d

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

SH256 hash:

74ad5e3b5adcc8fa71e498badf48275500c3090a82f317e8dc4e07d83d0418a2

MD5 hash:

843d5af40b52eed8701383dbcb37c8b1

SHA1 hash:

308d0f63a9a70739e6e44cd66452d36bd253e01d

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

SH256 hash:

4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729

MD5 hash:

00f3bb26404083ff4e56765f2affe183

SHA1 hash:

6db3f33a35e52d52ed0e38ea91d1068ce37abc6e

Link:

https://www.unpac.me/results/38193080-5155-43ba-b887-eafa66477a56/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e95c9b0662b20f3637d4fd7922ca84a68efb00c6375007c5bbd38954e9b6729

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372876/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample