MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
SHA3-384 hash:	83c2b5f5937e2cfabdd0ccac041c86935394a3f804dc1ac4bde9f0449d2eaa4e0bcb86a551f67dd22148dc7ec4e09c4f
SHA1 hash:	cb9ba7c0e151c57548b9ced077ea052e1572d47f
MD5 hash:	9a191169580faebbfe68effa27f685fb
humanhash:	sweet-mobile-sixteen-angel
File name:	STATEMENT.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	642'560 bytes
First seen:	2023-05-15 17:07:30 UTC
Last seen:	2023-05-15 17:55:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:vxyzmQSG8JxMy3kz/J8VWw69yDhNrI6avAHj7OMHiS/ASA8PKw:ozmJdbMZV8EhyDhK6aoDRiv07
Threatray	2'876 similar samples on MalwareBazaar
TLSH	T1EED4BF89323FBCD3C66806F1210034534B7DA11678A8F0F97D97B8D9D8DAB921BE45A7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

STATEMENT.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-15 17:08:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a29df990-0448-4768-8d66-b9e4738f5d72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/390221/

Detection(s):

SecuriteInfo.com.Trojan.KeyloggerNET.52.13735.20099.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/646266f318c2b9a49ad25ee7/reports/6863a8f7-6063-4e0b-976f-362dd83999a2/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4bf04594-9f11-4aca-89d9-ac4567e4a262

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1233971

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2023-05-11 11:11:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=utmhk4orsswuph6tjokoveoiv623bpker4qdfkegr6s4c2w3vjzq._file

Verdict:

malicious

Label(s):

formbook

Formbook

030026bf6983702ec4865754d69d48af120bf0dea165ef7ef22428422412fff4

Formbook

3fe2c04c33423019af7464d50b3df0775a565e9a31e1a289b49e4e180585ab00

Formbook

4627b5c64c1c639a6930dd1f9f135e396853e6bf418c8c0d3c6eaec18b3cdc12

Formbook

4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769

Formbook

6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a

Formbook

70d1125e7b5eeec17ca0248a72e7ea949bb78364928423d5ec062bd4e7eb825a

Formbook

8f3449b43eb5b5bc23330078ff8237c5d743a73519348f95b3c51d691f5663a3

Formbook

a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc

Formbook

f1c78b2121d019681e884190c1968c1fbdd4d38d42933c2e6c0aefd4daa3f6a7

Formbook

+ 2'866 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230515-vnjq4age85/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

e031d5f3652259dd052e79eaee198ab7fb0feb522a859771289a39a73a297f06

MD5 hash:

5e5b621044793588fde2b9482b862083

SHA1 hash:

b85e8343fc412a63748589cd544b90ccc841dc92

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

Parent samples :

0003b5d6c92e1466b6f734da9175b9cfc65ebd4d576b73f92100b0b2e899bb3b
19a7140e84227b4d9af59569af23a0a5a1edd34c45b24691348f227f2c540712
4759019b080ba0e6212bf1db94be7c1efebcb517a7cd7060186f50731c662769
a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73
e2c2908685e1e75ab146191d8757a42fda84c0c0be27f2fd7fe301a8fc0bb679
1d362a46e002c187e1ad022dea2fa97809a211c9ba763cfe63600d893fa3ab08
83655561bbc25a8d8d3e737bed283be32e228982310731a9640000797cd520b3
8bc2209887fffd6b27980ba8c2c138deb45370c5b0a8434f9542897c6a05c931
ede3876cdaa9f15dc9f49a080713bfc4e254d222d99c2a09b999d62d1d4f8c05
b755e080b9f6705b088275a44a96251bc547ad58b4f63c9988d90e1c97bf283f
36bd2802a452a2bee1659648b0a4b1de0cde1ebac09d0d5ebe0e2c1189483432
6371e6f808e46f98c8d2e98d1a81203dc6ec3aa755ee5e61bee436bcfdb92cbd
a29611641a2f20fafa07843982a24baf1e253bf03439d0905b61e816339158f9
607dcd836bd33a6d2afe6ef3c632468ef126eb49923409e246ba7ec86311c5a7
00446b78e85b721ff8ab19643f451074ed52d3ceb924f059f1b1c778af8fc42f

SH256 hash:

fc83e07cff47a7ea1058bf4d75f6d98fcdaf457a6f88007dccbbc36796a16847

MD5 hash:

fe559bbf47ec0c554420bba97f79ba0e

SHA1 hash:

c097427b5800a352d105c830e98332fe8925bcdc

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

SH256 hash:

18c500fef7a733e056399b7ad4af01f3628c96c09d1e1746c26aa2b657cef030

MD5 hash:

17c91046aefeafc7d2fb1341fd587719

SHA1 hash:

9dd2279070f5c48c44aa86b78c54e32db0b5dad4

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

SH256 hash:

c72ca892abebd8794a9544913d071c3c91356f5075509717727e180e87cb98ba

MD5 hash:

25383385b11436b817ed4dc0419f4e24

SHA1 hash:

9441f35f45a30503ebb2c717209f29341b5b48b6

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

SH256 hash:

acd33af177dcfe8f3f074fb42f303a7c434b507f32f65620d0fe0ed4d8348020

MD5 hash:

b0ad7923b9cdc8dae6602a7f9b18457a

SHA1 hash:

86d54dfeae58e47e81cd0cbf28d8f694730c04c5

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

SH256 hash:

d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218

MD5 hash:

e5d93dadd08b8bc727e4f4853c6881ba

SHA1 hash:

27e0e057d33f01586193b0cbf06561c2863951f4

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

SH256 hash:

a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73

MD5 hash:

9a191169580faebbfe68effa27f685fb

SHA1 hash:

cb9ba7c0e151c57548b9ced077ea052e1572d47f

Link:

https://www.unpac.me/results/292b7b51-00ac-44f7-968a-3369d091772f/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a4d87571d194/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe a4d87571d194ad479fd34b94ea91c8afb5b0bd448f2032a8868fa5c16adbaa73

(this sample)

Dropped by

Formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/390221/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample