MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
SHA3-384 hash: 5988cc9595d0f76e25fddc7c7a8b5663022d9c20d88709f84c3d6cd38a341a3be3334cd8e5d7ab6e03f5fa29d7f5180c
SHA1 hash: 1fc70757fbfdf04cedd292bdd4c56e30e756859d
MD5 hash: e1d59c4d6f0bb8e55d996a855f834d52
humanhash: bulldog-kilo-berlin-mars
File name:58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
Download: download sample
Signature Formbook
Create hunting rule
File size:696'832 bytes
First seen:2024-07-03 14:14:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:/YV6MorX7qzuC3QHO9FQVHPF51jgcmH2ww2Ik+yGPChxMGRCzwnyCwlcLp/9:MBXu9HGaVH9wuk+yyoxMGRCwnyCw23
TLSH T150E423D24FD2EA6AC1A05375C83B9C946468247CCAC13BA9A364F23FF835743E51365B
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
Verdict:
Malicious activity
Analysis date:
2024-07-03 14:14:15 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/8b98f91a-5610-475f-90c9-30221de0912e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Autoit-10032538-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66855d50c9fc0aaeb3c8bff1win10vpnfull_triage
Tags:
Network Stealth Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
AutoIt lolbin microsoft_visual_cc packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66855cec21581a9281a10ef9/reports/92534278-1885-4c75-af18-9c085a6624e3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3623f4f9-685e-4fc2-94e5-e424017fe498
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1467000
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467000 Sample: MUdeeReQ5R.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 39 www.autonomyai.xyz 2->39 41 www.upshercode.store 2->41 43 21 other IPs or domains 2->43 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 63 9 other signatures 2->63 11 MUdeeReQ5R.exe 4 2->11         started        signatures3 61 Performs DNS queries to domains with low reputation 39->61 process4 signatures5 81 Binary is likely a compiled AutoIt script file 11->81 83 Writes to foreign memory regions 11->83 85 Maps a DLL or memory area into another process 11->85 87 Switches to a custom stack to bypass stack traces 11->87 14 svchost.exe 11->14         started        process6 signatures7 89 Maps a DLL or memory area into another process 14->89 17 YbLkprrimJiVrJaajJ.exe 14->17 injected process8 signatures9 53 Found direct / indirect Syscall (likely to bypass EDR) 17->53 20 cipher.exe 17 17->20         started        process10 dnsIp11 45 185.234.72.101, 49754, 80 COMBAHTONcombahtonGmbHDE United Kingdom 20->45 35 C:\Users\user\AppData\Local\Temp\qtm8c.exe, PE32 20->35 dropped 37 C:\Users\user\...\2XHtrfJiG7Nkcxr[1].exe, PE32 20->37 dropped 65 Tries to steal Mail credentials (via file / registry access) 20->65 67 Tries to harvest and steal browser information (history, passwords, etc) 20->67 69 Modifies the context of a thread in another process (thread injection) 20->69 71 3 other signatures 20->71 25 qtm8c.exe 2 20->25         started        28 YbLkprrimJiVrJaajJ.exe 20->28 injected 31 firefox.exe 20->31         started        file12 signatures13 process14 dnsIp15 73 Antivirus detection for dropped file 25->73 75 Multi AV Scanner detection for dropped file 25->75 77 Machine Learning detection for dropped file 25->77 33 WerFault.exe 21 25->33         started        47 www.anoldshow.top 203.161.43.228, 49750, 49751, 49752 VNPT-AS-VNVNPTCorpVN Malaysia 28->47 49 upshercode.store 162.240.81.18, 49737, 49738, 49739 UNIFIEDLAYER-AS-1US United States 28->49 51 11 other IPs or domains 28->51 79 Found direct / indirect Syscall (likely to bypass EDR) 28->79 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-06-26 14:38:58 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lduj4eqovva4lhuvktx35nuejvbmkwmqmyfo5whxdmbxl4u4n4pq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240703-rkkmfasbld/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5608d49a-42eb-479f-9939-0e30f1b819e8
Unpacked files
SH256 hash:
fbc684b9f271d7181520b209e056c1716ba7b4978a2f16436f9bd70a092d9a70
MD5 hash:
d1c5b0c93c60dadd5c6407b6b008114f
SHA1 hash:
88bdaed82d9772d06d2e86f0b6b3b08d16e155e7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
Parent samples :
6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
ffda6d2c03b4e8cf19a1e2624498c3dfd30270f4cb0efeee908d9ca37cf0e1ca
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
1f66505224b6b1669db0864482bdbd457da983e886ed943c59834eae5e5c32f2
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
SH256 hash:
80a405771746ba16d6cbee64bd480b6fa8e2ae49fcc0075ed9358ba1c4727dfe
MD5 hash:
77e88fbec9d9c24aef7284c21dd27e0e
SHA1 hash:
56142271a45747e78c36b18cae59282f8f6fe58d
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
MD5 hash:
75275a7d90306518a25e75faa3f9bacb
SHA1 hash:
261a43856a4dfe0a77a753675c5a9e3e0c15785b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
Parent samples :
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
00f1fb00fbb9ce5d850680876407d82a520230bc09ffa540d5321fb5ecb1d0c8
SH256 hash:
436d7c55266cc8023c6524a2da2319a96a76eb0af1e0eb3e0c60d2f1b98e4830
MD5 hash:
8f108a530837b4afa1f00768cd06a1bb
SHA1 hash:
b7e7d9725b9eabce8d73fe58293a7d13fc8df629
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
8a2e1c87b3afa405aa92e0b42c164c5272b5fbef9b17912d0a766ee2f1ea60f0
MD5 hash:
ae4280d086fa07bca1e2bb2f12916923
SHA1 hash:
a307ba890aa05f6c780d93f51d3d6d415c3c71e6
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
0f977ef2d2d6d17a5f41c6cd9b7bb75001d3d9db35fe772fa72d455b82e7177a
MD5 hash:
6e26d80498cf7f5e064b45e9d267644e
SHA1 hash:
7e20cb8d351a1ec06b3784fce1c4fdd2b802b572
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
000b6c8afe801f307e1b30a0fc458bfc529c6d1934accc4370f5aa5bfdb64153
MD5 hash:
33b3a51ab4a4ea485b3acff533a7bf39
SHA1 hash:
6861a14d14a09ff829eec4407d13528750ec9bd2
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
cf6c5c5813591114aa166fb69789478768255c21107fb4fa244681f5e3ee6c17
MD5 hash:
15c6b2389bb1d15402d69073253033dc
SHA1 hash:
640cfaaeb6d810d879d0e60672bd48fd25073e41
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
8780291541a2407acab542d4556d61c3375668c904aa458e6c67ca8850d74072
MD5 hash:
84022f8d687c962982b1e49eec0db442
SHA1 hash:
36b44075326c06e44d665be00f5566f964464a58
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
SH256 hash:
58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f
MD5 hash:
e1d59c4d6f0bb8e55d996a855f834d52
SHA1 hash:
1fc70757fbfdf04cedd292bdd4c56e30e756859d
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/4b973b3f-d93b-4693-b967-e17f7b39d220/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58e89e120ead/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/58e89e120ead41c59e9554efbeb6844d42c55990660aeed8f71b0375f29c6f1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments