MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
SHA3-384 hash: 95b29155ab521d603e43b479c9d81b13f517258479c952a3b2209b040b03bd8e578d5e00cd37ffb9b64e09cd877fdc31
SHA1 hash: 6217e9a7218cfbbe315aa8d631558f5febb3139b
MD5 hash: d14ac19303ac82dd9370e6e3277ef1c6
humanhash: mockingbird-triple-monkey-autumn
File name:rPO86637.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'190'400 bytes
First seen:2024-09-09 11:40:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:vAHnh+eWsN3skA4RV1Hom2KXMmHaPMLQhufvlvkkMJf4x/Z5:Sh+ZkldoPK8YaPML0KvkNab
Threatray 3 similar samples on MalwareBazaar
TLSH T1B045BD0273D5C036FFABA2739B6AF64156BC79254133852F13982DB9BC701B2263D663
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO #86637.exe
Verdict:
No threats detected
Analysis date:
2024-09-05 21:10:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8df31e6-d85f-488b-a335-b54ec459a856

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.11298.17451.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66da16f18e12b8124ac95552
Tags:
Shellcodecrypter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66deded77fd554a24b9b54b4/reports/446965e2-f13c-4a7d-9fac-8473b781f493/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0141d17b-102e-499a-a6aa-6ad423611691
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504651
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504651 Sample: PO #86637.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 9 PO #86637.exe 4 2->9         started        process3 signatures4 57 Binary is likely a compiled AutoIt script file 9->57 59 Writes to foreign memory regions 9->59 61 Maps a DLL or memory area into another process 9->61 12 svchost.exe 9->12         started        process5 signatures6 63 Maps a DLL or memory area into another process 12->63 15 fhSlYsGoxBSrK.exe 12->15 injected process7 signatures8 65 Maps a DLL or memory area into another process 15->65 67 Found direct / indirect Syscall (likely to bypass EDR) 15->67 18 netbtugc.exe 1 22 15->18         started        process9 dnsIp10 31 www.sqlite.org 45.33.6.223, 49162, 49163, 49164 LINODE-APLinodeLLCUS United States 18->31 29 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->29 dropped 47 Tries to steal Mail credentials (via file / registry access) 18->47 49 Tries to harvest and steal browser information (history, passwords, etc) 18->49 51 Maps a DLL or memory area into another process 18->51 53 Queues an APC in another process (thread injection) 18->53 23 fhSlYsGoxBSrK.exe 18->23 injected 27 firefox.exe 18->27         started        file11 signatures12 process13 dnsIp14 33 www.nobartv6.website 103.224.182.242, 49192, 49193, 49194 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 23->33 35 www.kexweb.top 63.250.47.40, 49177, 49178, 49179 NAMECHEAP-NETUS United States 23->35 37 20 other IPs or domains 23->37 55 Found direct / indirect Syscall (likely to bypass EDR) 23->55 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e/
Threat name:
Win32.Backdoor.Formbooks
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 04:19:08 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqzo3rbutby7unlpfpkvzzcfxcpsbms7m6jfs36pcngluqldlbpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1124e6890aa9e5a314157ca65013a915a29af69c98aa315aa1edbbb2a5ad8eb8
Formbook
9edae2a8ff98921959db5b0838fbb3aecf892f701061ad93c489d78ca1ef71ba
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240909-nte7jawbnm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a997f7b5-5ab9-4360-897c-7c34008918d6
Unpacked files
SH256 hash:
43b84f6ef027228a04e417b14ff683b61ca2e5ae6b494c8a47c51c2210799254
MD5 hash:
c32c1cce7878ddbc4988e2493ec8251d
SHA1 hash:
0d1d344f8d6200b1eaab52d715bc9cf32b9f2850
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/bf0eab8b-3bd1-48e9-b285-1c9778b74f35/
Parent samples :
14eff9206677e4d8b2ff0ba356e046aeabbccef08086ac1f1d0686be85dc0689
a47d17dc57da8ad544a45871fc79ad1201c46ccbe7189b69c6531219a9364716
ae2f77ad311caf919d2c2ed85c691d9906185b06b01d153d49bfa8ddb132ee3d
1124e6890aa9e5a314157ca65013a915a29af69c98aa315aa1edbbb2a5ad8eb8
1f0138f02c1d1be1f9a575ffc912f443a51904558e6687af49f971ccba9711b5
63d9db1d6ad43b29d1dc245eead5fea3cf85ab49815984bb531f74d80bf0d4e6
9edae2a8ff98921959db5b0838fbb3aecf892f701061ad93c489d78ca1ef71ba
ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
8c7ecd6f1bb4a8dabae53a4c6d5e936c1335bda20cc5e850434fc9b022289864
1872f51b5d3913490f3936ab41a7388212d4c10e389eb211bc448029380891ce
34cdc9dbeed25021f6a572352cc75a2c6b4fa6c273b89b55219e83f6c2466992
502812cc0e25d2c5e3053cb724b38407b6ba9e2ef6c0631d89879602365fd2a8
ec4594c01b27748273f47aeefc3fc2f3bc67af0b55a72ccd129936bfb0b715b1
64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56
f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9
bb48191adb71c355f5695de90d2bfcf01926169809a36aa14082470dc90265ba
SH256 hash:
5e54ee037ffcb89f68711d221e8e0712697a77772500be4aa7e3ab619627c65c
MD5 hash:
f2003d56f6a580dcfa28cae9df8bcf38
SHA1 hash:
f4583f7d0ef26548734ee2c4bce7ad616becf58f
Link:
https://www.unpac.me/results/bf0eab8b-3bd1-48e9-b285-1c9778b74f35/
SH256 hash:
ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
MD5 hash:
d14ac19303ac82dd9370e6e3277ef1c6
SHA1 hash:
6217e9a7218cfbbe315aa8d631558f5febb3139b
Detections:
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/bf0eab8b-3bd1-48e9-b285-1c9778b74f35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments