MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738
SHA3-384 hash: 74f595b2e5c52390ca4c1f613ad2dcf0992a5495f5d512b0cdfa0f73fd3d9567c6691d8bc52a210b890fcdbbfbcf9e27
SHA1 hash: 0ae77c9c19e9abf574c677fd74864944ce3e53ed
MD5 hash: d1605933f2bb17e4b70a064ea8624454
humanhash: magnesium-tennis-two-iowa
File name:SecuriteInfo.com.Trojan.PackedNET.738.4592.27868
Download: download sample
Signature Formbook
Create hunting rule
File size:815'104 bytes
First seen:2022-10-24 07:28:22 UTC
Last seen:2022-10-24 23:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9y10PPJaxEOCf5lpLR6AlAfAOJEZ+mvFKsFh+/XPhgC938fBSFwv+aLjY8:UTJ0bvYsS/Jj938fBSKv5Y8
Threatray 3'614 similar samples on MalwareBazaar
TLSH T180057B34235A4F07E0EACF38B4B0D1B057669D7BB96E8A86CAD46CF779222B05D0D447
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00c4f8d2b290c200 (6 x AgentTesla, 5 x Formbook, 3 x NanoCore)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.738.4592.27868
Verdict:
Malicious activity
Analysis date:
2022-10-24 07:33:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bb4390a-5615-4e07-8233-94e16f90dc07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323286/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.4592.27868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f652460-0d8f-4c24-946a-44f9bc91c772
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096265
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728908 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 8 other signatures 2->74 10 XDSzBg.exe 5 2->10         started        13 SecuriteInfo.com.Trojan.PackedNET.738.4592.27868.exe 7 2->13         started        process3 file4 82 Multi AV Scanner detection for dropped file 10->82 84 Machine Learning detection for dropped file 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 XDSzBg.exe 10->16         started        19 schtasks.exe 1 10->19         started        21 XDSzBg.exe 10->21         started        46 C:\Users\user\AppData\Roaming\XDSzBg.exe, PE32 13->46 dropped 48 C:\Users\user\...\XDSzBg.exe:Zone.Identifier, ASCII 13->48 dropped 50 C:\Users\user\AppData\Local\...\tmp83A6.tmp, XML 13->50 dropped 52 SecuriteInfo.com.T....4592.27868.exe.log, ASCII 13->52 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 13->88 90 Adds a directory exclusion to Windows Defender 13->90 92 Injects a PE file into a foreign processes 13->92 23 powershell.exe 21 13->23         started        25 schtasks.exe 1 13->25         started        27 SecuriteInfo.com.Trojan.PackedNET.738.4592.27868.exe 13->27         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 29 explorer.exe 16->29 injected 33 conhost.exe 19->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        process8 dnsIp9 54 sphandicraftsbd.com 103.204.130.160, 49699, 80 TOMATOWEB-BDTomatoWebPvtLimitedBD Bangladesh 29->54 56 osakav.online 213.238.167.92, 49700, 80 TEKNOSOSTR Turkey 29->56 58 7 other IPs or domains 29->58 94 System process connects to network (likely due to code injection or exploit) 29->94 39 rundll32.exe 29->39         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 39->76 78 Maps a DLL or memory area into another process 39->78 80 Tries to detect virtualization through RDTSC time measurements 39->80 42 cmd.exe 1 39->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 05:46:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2mhvdexweu272lgtox5su42o5aglaculekdg2y6g7nmx2s3244a._file
Verdict:
suspicious
Similar samples:
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6
Formbook
371982ab20054b57f6cd8698e9f64498c7a857b412d370febbf44d8cbe7f2285
Formbook
460c69c4be70e551090f246536dbe08336b489024408822ee4275c78aee099b4
Formbook
74bf4be5cd674b82ed1eee10d1187d16b8abd1c348d2527d8ff34d88fbc01114
Formbook
93c53e4d593b8eeddacb9fc6c04bea2b01d628e90517778fe8e12e841c8c58c1
Formbook
94db3f7ce693393d5fc3c2dd1d9507d7548d9589a40ad3d23a2117e27f14b094
Formbook
a8c68ac5c7aec3453426300c0b394ee0c7d6254f209e6fe56879a1d74ab4f660
Formbook
+ 3'604 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:pf20 rat spyware stealer trojan
Link:
https://tria.ge/reports/221024-ja8mhsfbh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
f38b041ae11863ab3146102075a85714bfd0a3a174eafd52ae12bf72230afd77
MD5 hash:
45954f99b4c66ac25ad840aec7f9dc49
SHA1 hash:
72d25564d93588cf1958728885d2bbcdcad8837f
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
Parent samples :
438b38456b5033c20fef9d9da2a1882779b592fba20468242314a14c01c3d27d
4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738
69c32e09bd27aaea6ed0b0b448e6332f18e67daa0ad5d7cbc74718f9b1236cf5
40616665c8e28905ea7bf8726ba31150b48038f68681de80681f6b644d3e0189
2a4334476109d2ef5b95fbc6156e284a4c7340ffad00def833b23a3488884ded
SH256 hash:
877ba8b4409fb52479090e855f733505b7f81f482db4c4173bc7341d2fcb2a6b
MD5 hash:
c3dc84f32c0c8eed81b8500fffd30bb1
SHA1 hash:
fbbadc292efad02e96732f5c0d3276b643b44a81
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
SH256 hash:
6cd4f23261bf9a98b56e18f2b7e0876571e0999dba6322949d0fc50bb310cabb
MD5 hash:
5881c00a0d1ba4f1c79c3793aaae5e80
SHA1 hash:
e8d906df3ee036bd4519d3b8dad15d6eb4fd8c8f
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
SH256 hash:
3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb
MD5 hash:
16d6f358cc62b12dc869da8a59b03eda
SHA1 hash:
5eaf3662fbd4193086df2ba7233e9652542be8a3
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
SH256 hash:
4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738
MD5 hash:
d1605933f2bb17e4b70a064ea8624454
SHA1 hash:
0ae77c9c19e9abf574c677fd74864944ce3e53ed
Link:
https://www.unpac.me/results/acc2b68a-12c3-4ddd-8c26-22c16110d187/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e987a8c97b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e987a8c97b129afe9669bafd9539a77406580545914336b1e37dacbea5bd738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323286/

Comments