MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA3-384 hash:	0b27409b2a29c9928430cf8d114eebe7045a2307422c642938c20cfc165bcfbc8b874f6d0584389dc735c6fef7535d35
SHA1 hash:	e784bfd8f5f4514569205bb535ed8bc36ab47f28
MD5 hash:	fa6cb9677ff2254615166747668a72ed
humanhash:	three-whiskey-monkey-nineteen
File name:	triage_dropped_file
Download:	download sample
Signature	Formbook Create hunting rule
File size:	817'664 bytes
First seen:	2022-05-30 13:09:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:m/lw5ct3GObyKfhgbxApXENWUuzvKDt3gDipRTKeW:m/l8kNpgapC3sxkTd
Threatray	11'912 similar samples on MalwareBazaar
TLSH	T137058E44B689DEA6D90B1170C866D1F21A14AC7AC641A10F39DCBF7FF6B378D100D9AB
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0c4824ccecef4f8 (7 x AsyncRAT, 5 x XWorm, 3 x Formbook)
Reporter	malwarelabnet
Tags:	exe FormBook xloader

Intelligence

File Origin

# of uploads :

# of downloads :

314

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

triage_dropped_file

Verdict:

No threats detected

Analysis date:

2022-05-30 13:17:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/08186cc2-76c5-43e9-a2a0-289807c8512a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/275491/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.ADNP.30581.16943.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6294c2426eb3ff32634024d4/reports/6d1a0d2c-4c59-46e3-8e63-6014aee9b939/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1562786-05ae-4389-9d2d-80be540931ae

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003704

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-05-30 13:10:11 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

161

AV detection:

18 of 26 (69.23%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j7rg5p6fierakiyqidpdx6hymxnbihzmtroczae6jp3m5twuhzkq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114

Formbook

bcb97b3cbfe72dac8416a224ddb03a17ccba79da52872c6f5fcb13b93b43a247

Formbook

ce7d3bdad0d089583e735635f3d475e11dde86d0ad1c76d8735085a9ec031d96

Formbook

de4f5d7be84c3a10afa75bd2463a7c2958afc54300f88962f8e069d121752796

Formbook

df1510f64189b49ffeb4630c74af81a86888114102b493f52b5ad1c1cb58d121

Formbook

df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c

Formbook

e913d576e64c61f0fd94309e27a65a91f3418aae1914106ad0abc21745098428

Formbook

+ 11'902 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:be4o loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220530-qech7sgbf4/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

MD5 hash:

fa6cb9677ff2254615166747668a72ed

SHA1 hash:

e784bfd8f5f4514569205bb535ed8bc36ab47f28

Link:

https://www.unpac.me/results/8ad9742c-b3f3-4d62-8b08-8c5e9bc503b0/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4fe26ebfc541/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275491/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample