MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
SHA3-384 hash: 332c3b7e0c23e7fcd90f4666c246dce0afaacf99fd0b88aba4f0f9bd25bcdb811133a99d76067a56375659a91a7199d5
SHA1 hash: 5612bff0830a9a025eb35cf7c054d2062745d1b9
MD5 hash: 6e8215eee3034d6dcf18d79d397e5715
humanhash: seven-maine-timing-lemon
File name:6e8215eee3034d6dcf18d79d397e5715
Download: download sample
Signature Formbook
Create hunting rule
File size:1'272'864 bytes
First seen:2023-10-16 09:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 24576:ZQ3IGHgEKN05uKEPfbze1J9c8ae1D1FkTaO/bwntZKo4PCnsoO+Lt:ZQ3IbGEf+X9Xtk2O/bw7KpCnsa5
Threatray 3'629 similar samples on MalwareBazaar
TLSH T12C45236023C1D97BEB5A47F4AA9E29FAA1E4CE87DD28860B93143F713F723458D214D1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-15T09:03:08Z
Valid to:2026-03-14T09:03:08Z
Serial number: 57f1b2b5b2c4b7c9c1def821a4632d692e16b719
Thumbprint Algorithm:SHA256
Thumbprint: 874162bb890ef7a67c60203f2dd0e4ee2f4015c6f2c437bc175010c6ae2fb567
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://103.72.68.128/S1510M/smss.exe
Verdict:
Malicious activity
Analysis date:
2023-10-16 08:19:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c50a77e-e298-4cce-be32-a57e1e6a1be2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454797/
Detection(s):
SecuriteInfo.com.FileRepMalware.26947.2966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/652cfd0228455aedec11dc05/reports/82431568-14a0-4402-839a-c7994ef33d7b/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0ea5326d-8508-4a25-8a14-c394b17d1c72
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326341
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326341 Sample: jU0hAXFL0k.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 33 www.wgardsgm.live 2->33 35 www.thesoftwarepractitioner.com 2->35 37 18 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 8 other signatures 2->53 11 jU0hAXFL0k.exe 2 35 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\System.dll, PE32 11->31 dropped 14 jU0hAXFL0k.exe 6 11->14         started        process6 dnsIp7 45 103.72.68.128, 50125, 80 FARIYA-PKFariyaNetworksPvtLtdPK India 14->45 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 18 explorer.exe 2 5 14->18 injected signatures8 process9 dnsIp10 39 www.nightoracle.com 103.224.212.210, 50129, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->39 41 www.robertjamesfineclothing.com 104.247.82.51, 50142, 80 TEAMINTERNET-CA-ASCA Canada 18->41 43 9 other IPs or domains 18->43 55 System process connects to network (likely due to code injection or exploit) 18->55 22 cmd.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 03:33:27 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrdwdqsz3lw6jnhpw6ebnsmpwvrujy4bxnlnnhvis7bqzgezx44q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
393f41d6aaa447a3fc89f83b3ffb08574464197bf45704ba8226cd070b63c6ed
Formbook
795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7
Formbook
7da9294ba554d4c17ed9e4caac9836e303980814c7898b422ccde7a246ac26a5
Formbook
b88b53db5c1fd0779cb7718630d7ac90f0ff81cfc7e8495bff1325743adeff65
Formbook
bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3
Formbook
c1aa65f7c2cc6beb7052c8ada46a3139fc01da66890f4153a7c5761292b71d61
Formbook
+ 3'619 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:rs10 rat spyware stealer trojan
Link:
https://tria.ge/reports/231016-k2rczsda7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
MD5 hash:
0063d48afe5a0cdc02833145667b6641
SHA1 hash:
e7eb614805d183ecb1127c62decb1a6be1b4f7a8
Link:
https://www.unpac.me/results/9f5de2db-b433-468c-8f2e-09eee3ec444a/
Parent samples :
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SH256 hash:
ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
MD5 hash:
6e8215eee3034d6dcf18d79d397e5715
SHA1 hash:
5612bff0830a9a025eb35cf7c054d2062745d1b9
Link:
https://www.unpac.me/results/9f5de2db-b433-468c-8f2e-09eee3ec444a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac4761c259da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2721028/
Cape
Cape
https://www.capesandbox.com/analysis/454797/

Comments


Avatar
zbet commented on 2023-10-16 09:06:01 UTC

url : hxxp://103.72.68.128/S1510M/smss.exe