MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee
SHA3-384 hash: 86e9c93eba2a6a67ee71d1de996d5ad1892b112293a63bf6d6e1520dca645b747affcf9ae93e96591590f570659a6fe3
SHA1 hash: f00bd82aa5eec17a85baf0716a84d78daf285433
MD5 hash: 1be3bf75d7aaf60d980f4fff43fd0969
humanhash: oregon-four-moon-pluto
File name:Indent No 4020634A.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:377'789 bytes
First seen:2023-09-21 08:29:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:lYa6z1SLEzaZwZPqf9y8ukU2d25W26LesAhdov/z/WI3s475cGs0L+zbewSQC:lYB1STZjfzY2W+Odo7WI3siuGshuQC
Threatray 115 similar samples on MalwareBazaar
TLSH T1C684224023D6C053EDD1A6717E3E25317DE276AA10985A4E17A47B08B5722E5CF0FB3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Indent No 4020634A.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-21 08:30:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15690c30-fd62-4335-a601-20515368cf23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450288/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/650bff0c0870810f01837d36/reports/0375efee-32c4-41d7-9934-1101ec50b9e7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80d0e3b5-38d1-4a06-82ed-15b96e544bd2
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312113
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1312113 Sample: Indent_No_4020634A.exe Startdate: 21/09/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 4 other signatures 2->48 10 Indent_No_4020634A.exe 18 2->10         started        process3 file4 30 C:\Users\user\AppData\...\ppdovtdxbl.exe, Unknown 10->30 dropped 13 ppdovtdxbl.exe 10->13         started        process5 signatures6 62 Antivirus detection for dropped file 13->62 64 Machine Learning detection for dropped file 13->64 66 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->66 68 Maps a DLL or memory area into another process 13->68 16 ppdovtdxbl.exe 13->16         started        process7 signatures8 38 Maps a DLL or memory area into another process 16->38 40 Queues an APC in another process (thread injection) 16->40 19 uogzOQbHlWlNwlNXnvAVlibXUNAmZ.exe 16->19 injected process9 process10 21 msdt.exe 13 19->21         started        signatures11 50 Tries to steal Mail credentials (via file / registry access) 21->50 52 Tries to harvest and steal browser information (history, passwords, etc) 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 24 explorer.exe 5 1 21->24 injected 28 uogzOQbHlWlNwlNXnvAVlibXUNAmZ.exe 21->28 injected process12 dnsIp13 32 www.blackgrow.info 203.161.53.83, 49740, 49741, 49742 VNPT-AS-VNVNPTCorpVN Malaysia 24->32 34 mydesigneredge.com 162.144.13.104, 49760, 49761, 49762 UNIFIEDLAYER-AS-1US United States 24->34 36 16 other IPs or domains 24->36 58 System process connects to network (likely due to code injection or exploit) 24->58 60 Performs DNS queries to domains with low reputation 24->60 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 00:29:46 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzkzng6fllzdyn22bfojrt47xtmubpitslxky5estelermdp2xxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626
Formbook
19bff37c5b894b30a3522a73a35387fce64f890b94745399c5e72e5bf9c46138
Formbook
281b4916e39e780d0d7e0629bec8c291ca344faccaa244280edaa8454732f113
Formbook
4fdfe40f48c52d70c5f3bade65c62b252e26808b6893ffd844a0cec8c9612b09
Formbook
619b74c414ceb8633539d653de1083cedd1643d16d0d3853773daa007fb43cc3
Formbook
874ee8f230f9d4ff0446d583f123f9822a34e990d57fcb235789c5bfbfebb73d
Formbook
fc563ce0d3583e88222493534f0f02d94ca9dab17c906c5deacf7132852b51b4
Formbook
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230921-kd5wgagg85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
00d6981c28f6de337337d3b588cd18a2bbf35caa6a7373608ed0b39929df11bb
MD5 hash:
c4d5de27a64d30d71021518bf558641f
SHA1 hash:
2eacef848caf2723a2ed275f2c866f6f02cf637a
Link:
https://www.unpac.me/results/f3cbe49b-d318-4c12-8675-e8082b8a6360/
SH256 hash:
ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee
MD5 hash:
1be3bf75d7aaf60d980f4fff43fd0969
SHA1 hash:
f00bd82aa5eec17a85baf0716a84d78daf285433
Link:
https://www.unpac.me/results/f3cbe49b-d318-4c12-8675-e8082b8a6360/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae55969bc55a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ae55969bc55af23c375a095c98cf9fbcd940bd1392eeac7492991648b06fd5ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450288/

Comments