MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756
SHA3-384 hash: 44e4067ff076c8f3ec687a10211a8c683270b6f3b98f2d9df03ab5d5b8af6e65149976ff30e42f4672f09545c605444c
SHA1 hash: 2a5052a602c4652e2a13e14f48cb1875c65212c5
MD5 hash: e9353f3724be78a9e04fd2b63da682a0
humanhash: island-grey-hydrogen-florida
File name:IR-82405- F-431A.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:423'276 bytes
First seen:2023-10-26 13:00:03 UTC
Last seen:2023-10-31 07:27:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:uzSxv/Yegz6q1neLOE2FlNYL2SJT3ohHwn09Jv1thx8V:uzS9YTeKPPmsc07Thx8V
Threatray 51 similar samples on MalwareBazaar
TLSH T1BC941295238891B7E2838B713AB1157C957AED6D11D0E70787A9BE2B7B32343874E703
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd0d0d8d4c0c0d4 (1 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
348
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
message__20231026144736_E888799BD215AA92_3b_eng_org_.eml
Verdict:
Malicious activity
Analysis date:
2023-10-26 14:17:35 UTC
Tags:
formbook xloader stealer spyware sinkhole
Link:
https://app.any.run/tasks/1fbfee3c-218b-4e3b-b05a-827d58737e20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456541/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.29009.12592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/653a630e4ebf05ac3f3a693f/reports/e3f37edb-53c8-4100-b9b0-d7abb5854b21/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd8e7fe0-923b-46ce-b09f-85c02ee395cd
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332682
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332682 Sample: IR-82405-_F-431A.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 37 www.vevo-verify.com 2->37 39 www.ui-un.com 2->39 41 7 other IPs or domains 2->41 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 5 other signatures 2->59 11 IR-82405-_F-431A.exe 17 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\tyieempdq.exe, PE32 11->35 dropped 14 tyieempdq.exe 11->14         started        process6 signatures7 71 Antivirus detection for dropped file 14->71 73 Multi AV Scanner detection for dropped file 14->73 75 Detected unpacking (changes PE section rights) 14->75 77 2 other signatures 14->77 17 tyieempdq.exe 14->17         started        process8 signatures9 49 Maps a DLL or memory area into another process 17->49 51 Queues an APC in another process (thread injection) 17->51 20 uLBHzWslwDX.exe 17->20 injected process10 process11 22 msdt.exe 13 20->22         started        25 autoconv.exe 20->25         started        signatures12 61 Tries to steal Mail credentials (via file / registry access) 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 65 Writes to foreign memory regions 22->65 67 3 other signatures 22->67 27 explorer.exe 4 1 22->27 injected 31 uLBHzWslwDX.exe 22->31 injected 33 firefox.exe 22->33         started        process13 dnsIp14 43 www.blackgrow.info 203.161.53.83, 80 VNPT-AS-VNVNPTCorpVN Malaysia 27->43 45 transportlogistcs.com 216.246.46.167, 49752, 49753, 49754 SERVERCENTRALUS United States 27->45 47 4 other IPs or domains 27->47 69 System process connects to network (likely due to code injection or exploit) 27->69 signatures15
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-10-26 07:37:55 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgsttu6uwfmukuxb62weggblzzyud5lk3faorpxqeipta5fse5la._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4732b574a00a1be27ec6b4c1f6b64bb7d99dadf32e3ca5a1354b126976fd21d2
Formbook
5c925c5eae4683e5f9bb2c97974f3443b64e1c68b30ebc2c104dc450b58ab6e3
Formbook
80b93526dea47c9b61a0be6901b43f825ef2b4fdf1a7899787b785d7d4f08596
Formbook
925fa028b1511d9fb57e7f69efebff4c34228222af3adc11cfc45d930e9f6983
Formbook
98fe16bfb44e91d7c51602a2e5a9f6ac8740055ae96dc95ce5fa9d2d2b8c1f1a
Formbook
a217b4594093f3db0e915ed2a5ed293683269e29af9b0d5a220dc813edfd19d4
Formbook
dd53d18a4c884dba2710a5a6803e7d262e19ea2483ac526d5cca087edb318098
Formbook
e6f485f916c146ee933d72f5c979a1e1dbcee373bbb62a1c13d14c8d4d145353
Formbook
e823e333ce86a2ac88338d4be5d78fd5901ce23e789b37e23ce22a29b550e324
Formbook
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231026-p8nynabh4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
47ad438cfeca5048a674116b3e43a74eefa80ff08127b18364978465b568d29e
MD5 hash:
a7534dc46e5791eda2d64610f3a6630f
SHA1 hash:
e7ebcd72e8cbedf44a7e7edb91169d82aaec53ad
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e600d498-4824-4073-a235-19be3236c56c/
SH256 hash:
568a7da2bff42094514b3c8cda6ddbb35ee512c1555e6108bc4a8f1b0ca82f05
MD5 hash:
9c399b7c7da398a5912deba1b7712327
SHA1 hash:
8b914fe46df7335df48e5abf6cda0a668af17faf
Link:
https://www.unpac.me/results/e600d498-4824-4073-a235-19be3236c56c/
SH256 hash:
03ab0711fe0e407509f9e95a1bbeb7763d25807b27db7764da9f7908e7daa4d3
MD5 hash:
8356a514fe622f8ad2b5caf8ef8a03de
SHA1 hash:
50170170fff96400cb2398cc166dcae1088a700f
Link:
https://www.unpac.me/results/e600d498-4824-4073-a235-19be3236c56c/
SH256 hash:
51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756
MD5 hash:
e9353f3724be78a9e04fd2b63da682a0
SHA1 hash:
2a5052a602c4652e2a13e14f48cb1875c65212c5
Link:
https://www.unpac.me/results/e600d498-4824-4073-a235-19be3236c56c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51a539d3d4b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51a539d3d4b1594552e1f6ac43182bce7141f56ad940e8bef0221f3074b22756

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456541/

Comments