MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
SHA3-384 hash: 37d2ce46fa7329bde1bb826d84939c0c580b1e450f21c362630b623d7be87678669e5f31b89cfa9f867fc8a7b96b008f
SHA1 hash: a091fd849f394ad1b086173e94d150d0aa924d37
MD5 hash: 8169d0fca16b51cc3f3b51dd59014517
humanhash: magnesium-magazine-uranus-xray
File name:4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
Download: download sample
Signature Formbook
Create hunting rule
File size:797'184 bytes
First seen:2023-06-08 12:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kJ2B0xTGlxNqvNu2hZ+nUEsn9twjJD7O1rYq6ml4u6SUNAWDZF70r/y4U0cAWlHA:kJLaVUH999q9D7242WjoU0cAW+
Threatray 2'970 similar samples on MalwareBazaar
TLSH T14A05F151B1BB4F1BC1BB57F58504A2315BBE6A9CB872E3078EDBF4C62521F050A91B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
Verdict:
Suspicious activity
Analysis date:
2023-06-08 12:20:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0cf1bcc2-c463-4d8f-95f8-8df27aafc358

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396957/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67306230.10688.20793.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6481c7af4210b37bc33f9b28/reports/aaa9652a-58a5-4d9b-8cd3-63601c9f220a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90a36f68-71e5-40aa-bc8c-11b04e5cce71
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1251257
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884274 Sample: kkMKT11G8A.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 .NET source code contains potential unpacker 2->21 23 Machine Learning detection for sample 2->23 7 kkMKT11G8A.exe 4 2->7         started        process3 file4 17 C:\Users\user\AppData\...\kkMKT11G8A.exe.log, ASCII 7->17 dropped 25 Adds a directory exclusion to Windows Defender 7->25 27 Injects a PE file into a foreign processes 7->27 11 powershell.exe 19 7->11         started        13 kkMKT11G8A.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 15:13:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6outmlptn2swaeajcg4lkkpdgv7bxzh4uf5i4jgiehwelj5dt6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00b59c6487986aa3fd2aede19256be14f77c33615ef2083119619f74afc96429
Formbook
1168c66115568c14523cc4659547af756df33815b971e519d0a7c09f56903ec6
Formbook
154da40b848da265e6339dc5773113f75d1b7922b1273a9e6ee6782e33b6b6e4
Formbook
50008b7ef475464a4eb17158495b78b2a7180106c834373c428138ab6c20c1ce
Formbook
697c1f0051fe7230dd1cd8c8a23867cb69912ffe09e0d71950de153b19f41133
Formbook
84e9e8ea9fce3a8af80e7afea6944d411447346206679ab696aa302648f6db37
Formbook
b0ebf928b4df7f41c89599e1e1320fb1d44e36e1d5a3055b376c82b912fdf182
Formbook
d52d4b1281f3b1d44148ab53537cbde44df832bc92a310cbdc2b4f5370c10755
Formbook
ea94d610bc585bff2eee7d9cf22efc6e6d9c45e01cf5fa63ccab509593b65408
Formbook
+ 2'960 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230608-pjba9sfh7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
417fc8ab93a27f65e32dafe3e7d926abb7404347551e453b26b548131d92666f
MD5 hash:
b617f14c27a47042b2f20dfbc0d80271
SHA1 hash:
bf747ac5bc5860b6e8555c2bab3b7a0626c16c2c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
Parent samples :
b0ebf928b4df7f41c89599e1e1320fb1d44e36e1d5a3055b376c82b912fdf182
4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
SH256 hash:
a1b41c2a552cd9f101766b837d6461f873f9fe0afbf9657303d30c8fab34195f
MD5 hash:
bf9c1b3acaa327a06c77419f0ad49860
SHA1 hash:
50cb5befa24cbeca6555448d7b4b78600102696d
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
SH256 hash:
fd2808e6d8ca5ac106fdc99bec093b592c29ae54a1a56ca2962e143ee4858df2
MD5 hash:
50f5ef9765688412bd690a5460194090
SHA1 hash:
e5b1e729d1dce565c8f7de3710677561bdad52ed
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
SH256 hash:
f8489f0012905ca0e26e531807cc81b32767207a19e038a1b5161fccfa1121d7
MD5 hash:
47e9e8a33197bab7542c706effa6d44b
SHA1 hash:
ce2b5fa198555e52582938ef34b7719c88048f4c
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
SH256 hash:
4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd
MD5 hash:
8169d0fca16b51cc3f3b51dd59014517
SHA1 hash:
a091fd849f394ad1b086173e94d150d0aa924d37
Link:
https://www.unpac.me/results/7bbe067b-28cc-4b71-bc46-978ad8ae5f33/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f9d49b16f9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f9d49b16f9b752b0080488dc5a94f19abf0df27e50bd47126410f622d3d1cfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396957/

Comments