MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf
SHA3-384 hash: afc62b6a4761baedb0fb23e169d0a1dadec59a2fc83b732ffefca1a6ab1175407288f6c18015f439b4e99ad4889e94fb
SHA1 hash: 9f65dd52a2c10b631bcba61acc3c9328ff96eb19
MD5 hash: 2e181c3c4d4931c96c895790eea51abc
humanhash: lithium-batman-batman-saturn
File name:Debit note Jan-Jul 2024.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:799'232 bytes
First seen:2024-08-21 17:57:09 UTC
Last seen:2024-08-21 19:13:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (61 x Formbook, 23 x AgentTesla, 20 x RemcosRAT)
ssdeep 12288:asHzOUNUSB/o5LsI1uwajJ5yvv1l2JwrG/r7aNKR9HToSUYePAKHz:NiUmSB/o5d1ubcvuVmNKDoSUYeIgz
Threatray 2'913 similar samples on MalwareBazaar
TLSH T12405235669C0DC89D22273BAC4B2DCA597E6B631EF943B55ABC0F6AFB8313805403D1D
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Debit note Jan-Jul 2024.exe
Verdict:
Suspicious activity
Analysis date:
2024-08-21 18:19:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf0d8d04-6d7a-4d7a-a8e5-dbcc64e4f3da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.AgentTesla.13683.23123.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c62a70b2a4681a72966fc1
Tags:
Encryption Redcap
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit lolbin microsoft_visual_cc packed packed packed redcap shell32 upx
Link:
https://www.filescan.io/uploads/66c62aaccc3833d9d09ab693/reports/94ee289c-7c3d-45ff-aef5-10b9416a000e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/676c754a-af3f-4e0b-83c0-0910da50d948
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1496874
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-08-21 12:23:52 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=le6uv4msft3634uqroudb7b3utg46up4aiz744tyhtmdmjb7x3hq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0
Formbook
867b98b3220ca96c65920c77d29a58e7ad4d3446db14ec334027c0400577e9f4
Formbook
a5edb017a2c0bf9834ff392e81d47ed90dade6e41c0549a8b3e9522e76d2c8c2
Formbook
c10f72e90f08921781cab13aa7d3a9d21c961cf97f46590eed4c1cbc6ebc1d66
Formbook
ccc6905f505b5e8c74c51e4774d278e9dadbd2c3238c0345db82f251070542af
Formbook
d6e12ca72ee501a41c85d8aeee6ee15bd6f203622a3fd875996bebb4115fb404
Formbook
ee596cf029dc09743a0db9f7d08c90800e77f91a81f558526216702e425d0f98
Formbook
f76b2b03f3bcae16946cc4df5c6e8f0c960c415c38279a170e2dbf9ebcbd31f7
Formbook
fac6b0f37747e1764dd47ca17170bb6639bb9404d204f02ddd5df118aecf7c4d
Formbook
ffd3edf7463b0935071c49b75cf9c9b63720f1e114084bce2747ba6578e6e83c
Formbook
+ 2'903 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery upx
Link:
https://tria.ge/reports/240821-wj5y7swdnk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b6e8402-124b-4cb7-8b7a-c516feb2c12a
Unpacked files
SH256 hash:
a733c718bc86efb4dd0bc2f6003442637844451bbcf516ba0347300751ca672e
MD5 hash:
c7a95d6083a747e77534fe4d3a834e43
SHA1 hash:
ec7c51b46c3e2e3cfe8d5caaf5f5169c4cdca4a2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/9ef982ac-ceb3-46c1-be28-ffa464a77c66/
Parent samples :
593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf
2b2814cc30915dd6022bf80353b6e37bdabd379c351fd2e201cd3ee53621b147
3666991ba9b1b0ab338f41c37c0bfe3a8ae0fbfbde9820679a76362a610a0b23
d662f78e5e0c62cdc866836476cc59a0f26edd95d9e14fd2f246792c39f44096
17a478564c4eb41b217ae131ab1b433278bb60bd0d4b0f876f602d71336abae3
3fe4c784dfb841053360622561788dacfc8e4b81567bc461e4cd33e61d2d1e64
e38d7e764bae9be6ef464c001dc3784c28d165bff06c390ef600d785ec1871c1
SH256 hash:
b56ca9d855c924787ee2fc975458503b38c2cdc2990386bc1aba61372ba4a5f0
MD5 hash:
70b61828deeb6bc00745fe9f4d283437
SHA1 hash:
f2fb66e2c0311841603dbf3220a11ea4b84a8ea1
Link:
https://www.unpac.me/results/9ef982ac-ceb3-46c1-be28-ffa464a77c66/
SH256 hash:
257537162f1b1a170fd59ebef51435c753c0bb1076a3a631a6cca8a18fb80df6
MD5 hash:
203a31c7ca57989f8f8dc9e8e30d9804
SHA1 hash:
960dee74756512bc305242ba596ca03790dbc3d3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9ef982ac-ceb3-46c1-be28-ffa464a77c66/
SH256 hash:
593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf
MD5 hash:
2e181c3c4d4931c96c895790eea51abc
SHA1 hash:
9f65dd52a2c10b631bcba61acc3c9328ff96eb19
Link:
https://www.unpac.me/results/9ef982ac-ceb3-46c1-be28-ffa464a77c66/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/593d4af1922c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 610297907bb67a93834cbb1c54f2342062179de5a10209f43f50d5273d41e776

Formbook

Executable exe 593d4af1922cf7edf2908ba830fc3ba4cdcf51fc0233fe72783cd836243fbecf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 610297907bb67a93834cbb1c54f2342062179de5a10209f43f50d5273d41e776
  
Dropped by
MD5 beea18d8e58806e38908b1e00bbacf37

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments