MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
SHA3-384 hash: a4d4f7ad0265485dce34b4c990048adee4d564a67554cffe3a4afe6762fea75e2af811037832ba8b03bb803f4f8b842d
SHA1 hash: fc4a68398d978e96ff1a4e608b0c5e8e85f8a9b9
MD5 hash: 0c0f4b29d8f22a68af63878473d05f16
humanhash: snake-foxtrot-red-solar
File name:FEDEX_AWB.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:643'584 bytes
First seen:2023-07-26 15:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WJmefaynhgq63ZGiNIkW8tUZyyYy5ANvaqF+THb4or+SQk22:veCQgq24kW86y/fvFMb7tD22
Threatray 3'507 similar samples on MalwareBazaar
TLSH T136D4220073ECBFA7E13A97F24652144547F1DE67981BC2596FC120D2AEA6F154BB0E83
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FedEx FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FEDEX_AWB.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-26 15:32:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a980d8c-04c7-4186-be25-9f0f15535a78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434078/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2200.6900.29564.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/249c8342-610f-465f-8a90-a678c1b5a1b9
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1280410
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 15:07:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j72csys5vgiv4ez4prev5bonii2ycn4e7pbfdvzftwzty55yd4uq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c0810c9351e73650066ce431603eb2b586f28ef39cedbe53103e2b3e727840b
Formbook
2cd9e8fc5b73c35422b79574233937370a03f6714ba9e813da80ac2974b4cf91
Formbook
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
Formbook
455479a2d31bd901fdff62e67ec93e40f80e5956384e93e5030132d4a490501f
Formbook
7db4eb09d5e3b7b8cb37539295da0190b1c1416898804b297e1bc7b5f5eff9e8
Formbook
93d900164f8df22ed262ffba777f1138271b7c5982948c0e8115e59a3dce41ee
Formbook
9dea27ca0e29fd1b414242802ccc3801451b183af6a753bcc83d84bb0827b08d
Formbook
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
Formbook
+ 3'497 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230726-svsapsde89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e19264c74d7e9e7bdb1285d3ee5e917860eeeb9fe8687b32db67706eaa31281a
MD5 hash:
542ef80ceb62960eb33fbe6032e7d61c
SHA1 hash:
6e68147757bfb122d5915751ec99e454ee46923d
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
Parent samples :
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
f2674b3bee2f8ae1a08576a04c6d301e58f33a5c6456d32e09bde8e7997479a1
4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
bfb1e4ae02e8f53a6d2023eeda4399be5502b9ab99770c9c3e4bfde0548a459b
490129df3b9f148b27f875a33d9e4d584a3470250d46b5ef5bfee336644081b0
831fb5c161081d10c2e952ef793f5db28c5aba8b7e0e858aa1e755481b875baf
SH256 hash:
11b0695e4b2ff83ae2454447092e1ca84581d3341dba1433fba718f13851e575
MD5 hash:
18462fcdfc6d9057e79fed9ef4d57d79
SHA1 hash:
427f69305ee749e27fd865cb220a2a79d5c037a0
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
SH256 hash:
3871a9ab1ba6108a53757f5fec45f3985cf2f11e6edebb1694259f4a5c0767fc
MD5 hash:
cbaefcbf181bc50953e3cdc933238684
SHA1 hash:
e25153abbc73481c8cadbae03427e70939477d13
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
SH256 hash:
1bf69033e97a8ad8d59469dd2f1aa57bab7461345e9993acc83afa48029c95ac
MD5 hash:
58419415321b3303da79fcd299874125
SHA1 hash:
a7a4c4fb47ccefd232a543219e2f4e0e12520912
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
SH256 hash:
7989ef4467e921eed1f57923a21c7d93e7383198f217b396750b13591046e020
MD5 hash:
9d2084ab140f014afccea15aaeb31884
SHA1 hash:
8fdb6ce69c8d0631bb3bfbb00ce2c672e475b8e0
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
SH256 hash:
4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29
MD5 hash:
0c0f4b29d8f22a68af63878473d05f16
SHA1 hash:
fc4a68398d978e96ff1a4e608b0c5e8e85f8a9b9
Link:
https://www.unpac.me/results/defd6256-de1a-41bd-ba50-c86d6282e26e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ff429625da9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4ff429625da9915e133c7c495e85cd4235813784fbc251d7259db33c77b81f29

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434078/

Comments