MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c
SHA3-384 hash: 4a578f055d7845bcb2364eec0506041a5f06f67c896c1963f36859681f4ca614a99c652cb01ad3616c4278df8ab3fa04
SHA1 hash: 3b64176c99598532bcc734f5bc70f0af0285d267
MD5 hash: c83b057f4b72cc76a3bb50601bc5cf48
humanhash: nuts-foxtrot-april-fish
File name:Agro Alliance (Australia) RFQ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:381'600 bytes
First seen:2023-12-18 08:51:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 6144:bhjmb9v8giE2KY2XhmSaNTua18zJcRDYavtTrDcxExtpNhhP3Kdw:c5jiETK808z8DYavtnwydhiG
TLSH T17584235E76C448E7FA494FB04DBB974BD7F7B504C0229A174BB8DFABEDA12D2410A042
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468255/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.11904.22422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65800835f4b6e5e1634eab9f/reports/305e9305-c995-4b8d-9c54-336b9c8fb09e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f00d45dc-d435-414c-9574-fe87ea735883
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363858
Signature
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363858 Sample: Agro_Alliance_(Australia)_RFQ.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 32 www.zzennsensual.com 2->32 34 www.zippochinhhang88.online 2->34 36 13 other IPs or domains 2->36 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 11 Agro_Alliance_(Australia)_RFQ.exe 18 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\Temp\cltqsy.exe, PE32 11->30 dropped 14 cltqsy.exe 11->14         started        process6 signatures7 62 Multi AV Scanner detection for dropped file 14->62 64 Machine Learning detection for dropped file 14->64 66 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->66 68 Maps a DLL or memory area into another process 14->68 17 cltqsy.exe 14->17         started        process8 signatures9 44 Maps a DLL or memory area into another process 17->44 20 lUYpvgcuyHQLxxwsOiRbGfFNAvGHPV.exe 17->20 injected process10 process11 22 Utilman.exe 13 20->22         started        signatures12 54 Tries to steal Mail credentials (via file / registry access) 22->54 56 Tries to harvest and steal browser information (history, passwords, etc) 22->56 58 Writes to foreign memory regions 22->58 60 3 other signatures 22->60 25 lUYpvgcuyHQLxxwsOiRbGfFNAvGHPV.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 38 zzennsensual.com 81.169.145.84, 49717, 49718, 49719 STRATOSTRATOAGDE Germany 25->38 40 ext-sq.squarespace.com 198.185.159.144, 49708, 49709, 49710 SQUARESPACEUS United States 25->40 42 5 other IPs or domains 25->42
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-12-17 23:23:58 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcosni5eqn33qcsnaduaif2wurdle5chffucvk5oeczzn7yjq6oa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231218-ksp4kahffq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
914b7236c794b3aab5ca5781de56335b44de5affaa06e575a34a0649be4d4b01
MD5 hash:
fd899709ff18ce7054bc8f5d30d554db
SHA1 hash:
19dc440af70e1984829f444949ece148572447a3
Link:
https://www.unpac.me/results/6810f1a8-441b-4765-b6f9-70b8b8e1608c/
SH256 hash:
f22dc835d2b201dc613f7f673a0a5b606f3c43e967cca82b5093267f56ca9a00
MD5 hash:
d8991deab1bba4cc40d36a1475a2a1a7
SHA1 hash:
864186fe32ac6110e64247854a7a8b9ba5769c9b
Link:
https://www.unpac.me/results/6810f1a8-441b-4765-b6f9-70b8b8e1608c/
SH256 hash:
509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c
MD5 hash:
c83b057f4b72cc76a3bb50601bc5cf48
SHA1 hash:
3b64176c99598532bcc734f5bc70f0af0285d267
Link:
https://www.unpac.me/results/6810f1a8-441b-4765-b6f9-70b8b8e1608c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/509d26a3a483/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 509d26a3a48377b80a4d00e8041756a446b2744729682aabae20b396ff09879c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468255/

Comments