MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2
SHA3-384 hash: e48a46a7e1e55fe9005cf2f6841ca14a76e65c6c9c953b6a8c605da9a0b199663cc25d8a7351f00ba6939e117d57c4ef
SHA1 hash: f1b04f09e2cd41d4a7763b7579404a792bbc0806
MD5 hash: 4a29481bcff7afa8eba55c66ea729833
humanhash: river-eleven-winter-triple
File name:4a29481bcff7afa8eba55c66ea729833
Download: download sample
Signature Formbook
Create hunting rule
File size:260'716 bytes
First seen:2022-05-24 19:20:23 UTC
Last seen:2022-05-24 19:57:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55f3dfd13c0557d3e32bcbc604441dd3 (124 x Formbook, 18 x Loki, 13 x AgentTesla)
ssdeep 6144:B0Y04LVRyZXRYRW66VAkjLSAXqlZQ0XfuEL7uve:EgRyZhJvVrkg0Xm4N
Threatray 15'975 similar samples on MalwareBazaar
TLSH T18D44234616C1A8FFF90B42F51E77E65AE2B639056301C38F0B941F7F2836499EA0B157
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
455
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
4a29481bcff7afa8eba55c66ea729833
Verdict:
Malicious activity
Analysis date:
2022-05-24 19:27:56 UTC
Tags:
installer formbook trojan stealer
Link:
https://app.any.run/tasks/53112f82-4a26-4aaa-8310-eed989093d92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274268/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/628d30603ec49f83a6c828b5/reports/f4b37f39-5b3f-4f01-b543-1f66655fa89c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f73b95fa-cbbc-4d13-aa44-e247d42bc852
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001003
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 633500 Sample: EIr6ia75Vn Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 4 other signatures 2->50 11 EIr6ia75Vn.exe 19 2->11         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\xhmmdm.exe, PE32 11->32 dropped 14 xhmmdm.exe 11->14         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 14->58 60 Tries to detect virtualization through RDTSC time measurements 14->60 17 xhmmdm.exe 14->17         started        process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 20 explorer.exe 17->20 injected process9 process10 22 help.exe 20->22         started        signatures11 52 Modifies the context of a thread in another process (thread injection) 22->52 54 Maps a DLL or memory area into another process 22->54 56 Tries to detect virtualization through RDTSC time measurements 22->56 25 explorer.exe 1 160 22->25         started        28 cmd.exe 1 22->28         started        process12 dnsIp13 34 192.168.2.1 unknown unknown 25->34 30 conhost.exe 28->30         started        process14
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 18:59:49 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtsemebaqhb53klksekfe4hyue6oggfxbc7kheq3ykdojrx4ykra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3e20e05dc0f89bd2a37936b5e3a2631af6cdb687218275731b6f7e7f79febc9e
Formbook
4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
Formbook
5d429d5b5040db22296b658ddf87b4ee8a5dd7ba5e780453c2336dd13555e4bf
Formbook
65d63079af57f5ae33cb341bc94f3882d2516efc82a0373775c564759aeb862e
Formbook
6b19bf1ec55b55f38c00c74fd66dd45c8d7e12eebebca913c4d21152ed0ced8c
Formbook
7742139fb0f3ddbfa59f16f86945fd1e77a9cf381255f2e792d19a22d0ad9b7d
Formbook
b01852366a757d7a668950fe78fe78113c184d24db59aefe7dd52c44eaed2c77
Formbook
d951d78db324f840c3dd3233c7900a8193329d769550cbf1c8857d5ef3fb5252
Formbook
dacb77cc1043b74ae83d504072258f6157c6bb72fcf340356cbd932cb10bbf28
Formbook
+ 15'965 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:pvgu loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220524-x2ncjsedh2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
a37cdc8006a5051e67318c53063fcb7f308c148c9ac4fc4f7509acc21b959529
MD5 hash:
4776e9b5818262811102a68c969d28f5
SHA1 hash:
bcceb6f6463d193f8fb3569053649ad3e01e4d78
Link:
https://www.unpac.me/results/aa0c7d5f-6651-4f94-8d37-acbdf433c4c7/
SH256 hash:
b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2
MD5 hash:
4a29481bcff7afa8eba55c66ea729833
SHA1 hash:
f1b04f09e2cd41d4a7763b7579404a792bbc0806
Link:
https://www.unpac.me/results/aa0c7d5f-6651-4f94-8d37-acbdf433c4c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2209724/
Cape
Cape
https://www.capesandbox.com/analysis/274268/

Comments


Avatar
zbet commented on 2022-05-24 19:20:25 UTC

url : hxxp://198.12.84.30/421/vbc.exe