MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8
SHA3-384 hash: 03f1283920a602f08849155e415159ea9c7605a05306a6ef1300172968b0904ad384312cae6871389d07ab40609fa59d
SHA1 hash: e43a8d51eacb148ed0cfa2d88b229bf212493eab
MD5 hash: 26c5dc4002976b3b9ae49f2440929df4
humanhash: neptune-september-alpha-lima
File name:7823754719107729.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:177'664 bytes
First seen:2022-01-18 12:22:06 UTC
Last seen:2022-01-18 14:16:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:mlLupiy0bK8IaYPtSHPWcmhVm13jPJXt9qoST/p80yX6moPCdj0U:ml0iy0bT1G/p80yX6moP+j0U
TLSH T1CC04A021DAF7DEB0DA53093BB53DF6230E1E2E7D5DA4F8482858F920EE77AC48844651
File icon (PE):PE icon
dhash icon 58cbdadadadadd58 (9 x SnakeKeylogger, 6 x Formbook, 4 x Loki)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220114/
Detection(s):
SecuriteInfo.com.W32.Faker.Q.genEldorado.16618.768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Running batch commands
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed quasar replace.exe
Link:
https://www.filescan.io/uploads/61e6b0f3d32385db6301986c/reports/dc100f0b-3530-4719-9bc6-56f12f19404c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5bd324c-237f-44df-af0b-bf3bcdc4bb7b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922359
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554833 Sample: 7823754719107729.exe Startdate: 18/01/2022 Architecture: WINDOWS Score: 100 55 ozzyingilizce.com 2->55 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 6 other signatures 2->71 12 7823754719107729.exe 16 7 2->12         started        signatures3 process4 dnsIp5 57 ozzyingilizce.com 159.253.41.162, 49784, 49850, 80 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 12->57 49 C:\Users\user\AppData\Roaming\...\update.exe, PE32 12->49 dropped 51 C:\Users\user\...\update.exe:Zone.Identifier, ASCII 12->51 dropped 53 C:\Users\user\...\7823754719107729.exe.log, ASCII 12->53 dropped 73 Encrypted powershell cmdline option found 12->73 75 Tries to detect virtualization through RDTSC time measurements 12->75 77 Injects a PE file into a foreign processes 12->77 17 7823754719107729.exe 12->17         started        20 powershell.exe 9 12->20         started        22 7823754719107729.exe 12->22         started        file6 signatures7 process8 signatures9 59 Modifies the context of a thread in another process (thread injection) 17->59 61 Maps a DLL or memory area into another process 17->61 63 Queues an APC in another process (thread injection) 17->63 24 explorer.exe 17->24 injected 26 cmd.exe 1 20->26         started        28 conhost.exe 20->28         started        process10 process11 30 update.exe 3 24->30         started        33 update.exe 3 24->33         started        35 timeout.exe 1 26->35         started        signatures12 79 Multi AV Scanner detection for dropped file 30->79 81 Machine Learning detection for dropped file 30->81 83 Encrypted powershell cmdline option found 30->83 37 powershell.exe 8 30->37         started        39 powershell.exe 8 33->39         started        process13 process14 41 conhost.exe 37->41         started        43 cmd.exe 39->43         started        45 conhost.exe 39->45         started        process15 47 timeout.exe 43->47         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 12:22:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2mfiwexmn4m4wdgw5rryc6q5tzftusgwpe3p5xbfmke57hykw4a._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oh75 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220118-pjx52abah4/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8
MD5 hash:
26c5dc4002976b3b9ae49f2440929df4
SHA1 hash:
e43a8d51eacb148ed0cfa2d88b229bf212493eab
Link:
https://www.unpac.me/results/163c6be7-7750-4efa-8734-a00626d95f04/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4e9854589763/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 4e985458976378ce5866b7631c0bd0ecf259d246b3c9b7f6e12b144efcf855b8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220114/
  
URLhaus
https://urlhaus.abuse.ch/url/1986925/

Comments