MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b
SHA3-384 hash:	1e3356fcc556e2ff5e6d8711166cd2ed6d78d0f90f9b1f7580d53369cbd843d876459cf05186aab211a316c922770974
SHA1 hash:	bed120701f37842b4b38fc145253a4386dac07b5
MD5 hash:	36a91779a593be04f8b64cf2870130aa
humanhash:	mango-charlie-xray-may
File name:	Shipment notice & Invoice82724.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	759'296 bytes
First seen:	2024-08-29 10:01:34 UTC
Last seen:	2024-09-02 09:16:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:x5LegJE7UcXFoKuJ1SwoPRTwoRhBPBCDjjy9+wydb916AafsoW0A:nC7DVoKuJ1S3Jf1/9+BLo
TLSH	T1DEF412A82A05D507C945A7790EB2F2F4172D4EDDE801E317AFDDAEEBBD79E020C54281
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipment notice & Invoice82724.exe

Verdict:

Suspicious activity

Analysis date:

2024-08-29 10:27:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ace74e9c-f49f-4de4-92b2-c0922f321b48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.37.27990.17012.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d04725f1a57bfb7091485a

Tags:

Generic Static Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/66d0472297cdd8ae02a75100/reports/01b4307d-3e53-4cc9-bec1-073a7ca05925/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/81c5d041-4f06-482f-89af-d3e7d18f9295

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1501097

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-08-28 12:29:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=utmbupanwtwyysuq4yorenlxkshmam2mybywohgwzwzd7rcqvyvq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240829-l2tnsavhra/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5b78cf3f-e3fe-4564-967c-b946751c4986

Unpacked files

SH256 hash:

cb0da7e09ab8975e7407182194ff29f2986dea444d724a231e09c9e9dd7fd99c

MD5 hash:

104e6a02598b3cb01356802f12d6994c

SHA1 hash:

bb60c8ab67010a4147d7f43dbb1efb417bd4cef7

Link:

https://www.unpac.me/results/9f51aae8-ff06-4d2c-aa94-f23374cccfcb/

SH256 hash:

640da4bc859d8e6887a356130663dea78a197af60ae373ceb7b943f3de987252

MD5 hash:

88919861b061be28988489b4f47251a9

SHA1 hash:

45b27c3c6538e472b73f28ed10df9359f0dd4589

Link:

https://www.unpac.me/results/9f51aae8-ff06-4d2c-aa94-f23374cccfcb/

SH256 hash:

6961e640fbe5c57904ea6b8b6b5ba91971642021c46bfcb36838e2a86fb0b513

MD5 hash:

8ba5ba0b65f7999d2387b320ee6b0082

SHA1 hash:

27a23ba98fae1ee9bcbc945cb3c59e7b94216a57

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9f51aae8-ff06-4d2c-aa94-f23374cccfcb/

SH256 hash:

0371f633031157d98c883966e6c94a336700f5b66239bf96af10b571d059cbc9

MD5 hash:

29242cc49aa936795ada426e892c76b0

SHA1 hash:

45cfd75860f19a8fbbd79180a75c06280c79e663

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/9f51aae8-ff06-4d2c-aa94-f23374cccfcb/

Parent samples :

d3e597c7a7074ebbbf6def6c24c0b979de124435a2c9a01dcb9a36ee1c5864d8
8f81ed1c250530c6a24f60a8f0c39f48bd2c98f08e6100bc8f844fc3a53c6909
f4cc2743d202249ab338480e5c4cf22f2662065d078da09c89af833dbd1c1717
60734325fb48873fcbe11315a91032bef2048981cd35cdd24c6502cb81b03d92
c3d4bf7b34654afd79490a7c3ba3b19f9ccb920e3fa7649c23a73c8269fe6744
6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776
a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b
c5a4b944207f26a6625931bffe1cd9565bb20202ad1f49612342edf8df7995c4

SH256 hash:

a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b

MD5 hash:

36a91779a593be04f8b64cf2870130aa

SHA1 hash:

bed120701f37842b4b38fc145253a4386dac07b5

Link:

https://www.unpac.me/results/9f51aae8-ff06-4d2c-aa94-f23374cccfcb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a4d81a3c0db4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample