MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66
SHA3-384 hash: 49819a4fecaff05b8b78015571910f154d20839ebd633db49270e1b67bc3b022ae9c9d5d13faba84457cb8253db744fd
SHA1 hash: a461eebee0428fa25319bedc4388b959ddf52918
MD5 hash: bc05415a4dce12adf6d1b6b65a49ba68
humanhash: montana-papa-zulu-hamper
File name:IM2201-2T, pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:901'632 bytes
First seen:2022-02-17 07:31:28 UTC
Last seen:2022-02-17 09:01:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 12288:YdpsFtRgCYY0Lg9ZUYdZxH22qla5w/yXbxpWoEMzSZwvPQTSKmG:8Cf0Lgo6ZxH0MW/Ibxp0Lw3YSK7
Threatray 17'455 similar samples on MalwareBazaar
TLSH T198159E05A36A1E81DC5C363A54F92F0527A16EF66C8BA20731FE347FC1FE3B66941189
File icon (PE):PE icon
dhash icon 049caaaa8eb6a2cc (1 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242180/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobra formbook obfuscated packed
Link:
https://www.filescan.io/uploads/620df9f9a2660f3bb9ee5426/reports/d12a0409-d5d4-4c65-ac74-cee64d762663/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941408
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573886 Sample: IM2201-2T, pdf.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 84 yahoo.com 2->84 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus / Scanner detection for submitted sample 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 5 other signatures 2->116 11 IM2201-2T, pdf.exe 1 4 2->11         started        signatures3 process4 file5 78 C:\Users\user\AppData\Local\dinton.exe, PE32 11->78 dropped 80 C:\Users\user\...\dinton.exe:Zone.Identifier, ASCII 11->80 dropped 82 C:\Users\user\...\IM2201-2T, pdf.exe.log, ASCII 11->82 dropped 14 IM2201-2T, pdf.exe 11->14         started        17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        21 8 other processes 11->21 process6 signatures7 124 Modifies the context of a thread in another process (thread injection) 14->124 126 Maps a DLL or memory area into another process 14->126 128 Queues an APC in another process (thread injection) 14->128 23 explorer.exe 1 14->23 injected 130 Uses ping.exe to check the status of other devices and networks 17->130 25 PING.EXE 1 17->25         started        28 conhost.exe 17->28         started        30 PING.EXE 1 19->30         started        32 conhost.exe 19->32         started        34 PING.EXE 1 21->34         started        36 PING.EXE 1 21->36         started        38 PING.EXE 1 21->38         started        40 13 other processes 21->40 process8 dnsIp9 42 dinton.exe 1 23->42         started        45 dinton.exe 1 23->45         started        86 yahoo.com 74.6.231.21 YAHOO-NE1US United States 25->86 88 74.6.231.20 YAHOO-NE1US United States 36->88 90 98.137.11.163 YAHOO-GQ1US United States 40->90 92 74.6.143.25 YAHOO-3US United States 40->92 94 192.168.2.1 unknown unknown 40->94 process10 signatures11 118 Antivirus detection for dropped file 42->118 120 Multi AV Scanner detection for dropped file 42->120 122 Machine Learning detection for dropped file 42->122 47 cmd.exe 42->47         started        49 cmd.exe 42->49         started        51 cmd.exe 42->51         started        53 cmd.exe 42->53         started        55 cmd.exe 45->55         started        57 cmd.exe 45->57         started        process12 process13 59 PING.EXE 1 47->59         started        62 conhost.exe 47->62         started        64 PING.EXE 1 49->64         started        66 conhost.exe 49->66         started        72 2 other processes 51->72 74 2 other processes 53->74 68 PING.EXE 55->68         started        70 conhost.exe 55->70         started        76 2 other processes 57->76 dnsIp14 96 74.6.143.26 YAHOO-3US United States 59->96 98 yahoo.com 59->98 100 yahoo.com 64->100 102 yahoo.com 68->102 104 yahoo.com 72->104 106 yahoo.com 74->106 108 yahoo.com 76->108
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 20:49:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5gq7z3jxwotcyzd4kikxeiwwxozl2376wccg4pu75klfpgbvzta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
502bd048ca66ac44a6ee60d4737e1b9fc5749bf3e665645e9da6039bdf399ba7
Formbook
5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1
Formbook
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
Formbook
b7cf8d9d8db4c5eaf796d35251bfc2b24f34c2c77d2ca82a1ebf470323c0894f
Formbook
b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 17'445 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ahge loader persistence rat
Link:
https://tria.ge/reports/220217-jc1dxsafc5/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Xloader Payload
Xloader
Unpacked files
SH256 hash:
d4fe63abdfb59aaf266c5e00272fbff7bfbc6b23fc44ba91803889377b0c0232
MD5 hash:
c2ab804438d27ce9451fe40388702784
SHA1 hash:
efc098736ec44d4cfac5fd61b8c6dd6bab3a03ab
Link:
https://www.unpac.me/results/467d3d19-7eec-41ef-87fb-66691f9b4866/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/467d3d19-7eec-41ef-87fb-66691f9b4866/
SH256 hash:
4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66
MD5 hash:
bc05415a4dce12adf6d1b6b65a49ba68
SHA1 hash:
a461eebee0428fa25319bedc4388b959ddf52918
Link:
https://www.unpac.me/results/467d3d19-7eec-41ef-87fb-66691f9b4866/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4f4d0fe769bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242180/

Comments