MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce
SHA3-384 hash:	4f0a145672d0218141d337c5c2335deeac31d00e840de81101ccea7b482ed0f01ef731bdeafcc6b79aef9e03d4c3cdf9
SHA1 hash:	adcd8cd998f55f75bcc0999f10d98cd1bbe568a2
MD5 hash:	5a5203a27db662eca103556a4eda84fd
humanhash:	steak-video-four-oregon
File name:	OSLA24090177 & OSLA24090178pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'065'839 bytes
First seen:	2024-09-22 15:32:49 UTC
Last seen:	2024-09-24 09:30:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep	24576:tthEVaPqLsvEvt32gWuGH4N5a64qygxcuxl/fIz6KUtYRN:VEVUcxV8Hw5a9qyml4WVYz
TLSH	T15535338E617A7A09E46022B5D24A174341A0F836977DCF1B7393EF5B6DAF01A7D2034E
TrID	86.7% (.EXE) AutoIt3 compiled script executable (510622/80/67) 4.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 1.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	b150b26869b2d471 (468 x Formbook, 101 x RedLineStealer, 94 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

OSLA24090177 & OSLA24090178pdf.exe

Verdict:

Malicious activity

Analysis date:

2024-09-22 15:37:09 UTC

Tags:

upx autoit

Link:

https://app.any.run/tasks/4ff451f7-cfd1-42fc-a3dd-cede7f20a439

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f038bb5346c7b922acf93d

Tags:

Encryption Malware Monitor Autoit

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit lolbin microsoft_visual_cc overlay packed packed packed shell32 upx

Link:

https://www.filescan.io/uploads/66f038b8d2758b8668bb3b3e/reports/6b151e52-30a5-4ac4-983b-ced3b5af2734/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd7922af-bd11-4041-9387-ef0fd834054d

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce/

Threat name:

Win32.Trojan.Autoitinject

Status:

Malicious

First seen:

2024-09-19 03:41:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wujqcrmdql7mtdgagexbqsmtp7ysst42vbw6czjvnroaeb7mqxha._file

Verdict:

malicious

Label(s):

unknown_loader_036

formbook

admintool_powerrun

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/240922-sy7vkawhmm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Verdict:

Suspicious

Tags:

trojan

YARA:

MAL_Malware_Imphash_Mar23_1

Link:

https://app.threat.zone/submission/2a1d1d82-2e07-4397-8820-3637a8a2d037

Unpacked files

SH256 hash:

4c2577a2d4c010889c398d507df3e5f1df2c96adac8d845f5c830e1e22278dfd

MD5 hash:

9f4a5f8e746c04dae18d00c71024734c

SHA1 hash:

8f348813cfa6c5c5dcc8c62d2e30d0de525564ad

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/6e8d9e7d-4405-4a6d-9ffb-02cdd17be50a/

SH256 hash:

3a6e1c87ac66a360a72130719c3540b90418957e9b10bd535fe31f0204707df6

MD5 hash:

1a6835cc8b1e5777cc53b94780e7e846

SHA1 hash:

416a70ce8e1145908241086104aeb8c63e5f1a10

Link:

https://www.unpac.me/results/6e8d9e7d-4405-4a6d-9ffb-02cdd17be50a/

SH256 hash:

708ed39ec646a809acda81597f29566231d2f26264ae249cdb50a6f1fa201aa9

MD5 hash:

213a418928ca27fc29fbea7949fd8ad4

SHA1 hash:

02b12631baacc5ab7941b1ef7b046ff70eb81ac8

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/6e8d9e7d-4405-4a6d-9ffb-02cdd17be50a/

SH256 hash:

b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce

MD5 hash:

5a5203a27db662eca103556a4eda84fd

SHA1 hash:

adcd8cd998f55f75bcc0999f10d98cd1bbe568a2

Detections:

MAL_Malware_Imphash_Mar23_1

Link:

https://www.unpac.me/results/6e8d9e7d-4405-4a6d-9ffb-02cdd17be50a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b51301458382fec98cc0312e1849937ff1294f9aa86de165356c5c0207ec85ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample