MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66
SHA3-384 hash: 33c3bba7fe6cd806bb837983b6c4377b4fbb36817c74f3a9f82b47e28d2278030709631d514bddf7eb9b53a5b35c2809
SHA1 hash: cc02b0e247e89dfe178a85febba67ee2569e9a97
MD5 hash: 8b9f6452403c23ac64c9ddd3868d8dfd
humanhash: two-table-sixteen-west
File name:Image009.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:647'168 bytes
First seen:2022-04-27 09:21:40 UTC
Last seen:2022-04-27 10:00:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:YAeFYLWJeJeFF9/6HVlb3426h5Q8ihk39kxDEywR2TLzonHaee:RQPr26vahgcpwR2LHee
Threatray 15'209 similar samples on MalwareBazaar
TLSH T12FD4E004BBFACA22D2E94B33C5E646044BB4EA13E117EF4F7AD56AD50C0336B9841B57
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 69dca0e8e8e0c448 (22 x AgentTesla, 8 x SnakeKeylogger, 6 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/267193/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.16771.29935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe msbuild.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62690b3e75c6f158e8fe39fb/reports/9b5d6861-9339-4a6f-9d11-f1d33705f5c9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0db6378-452d-484a-ab7a-d6bc4e90ebe0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983941
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 616436 Sample: Image009.exe Startdate: 27/04/2022 Architecture: WINDOWS Score: 100 33 www.paten4d.tech 2->33 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 11 Image009.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\Image009.exe.log, ASCII 11->31 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 Image009.exe 11->15         started        18 Image009.exe 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 20 explorer.exe 15->20 injected process9 dnsIp10 35 www.shoptruongstar.info 188.114.96.7, 49758, 80 CLOUDFLARENETUS European Union 20->35 45 System process connects to network (likely due to code injection or exploit) 20->45 24 control.exe 20->24         started        signatures11 process12 signatures13 47 Self deletion via cmd delete 24->47 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51 53 Tries to detect virtualization through RDTSC time measurements 24->53 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 09:22:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqzcszhfbddxkco6icnfbu3ggd7pqohdryga7gm67yae3fidf5ta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c9a7034a9d5463d3c4e91dd5b652c91e906864b1731933397b41662bf85d0d2
Formbook
3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
Formbook
3859da72cd34fc9b4ebe2ff100a3d888845836f4945bf2bcdfb83d5d0d16508a
Formbook
6c508beda564432a5658a9a1a1ef8061971195cc9ad84fba7c38db9b65450eab
Formbook
9029cb23c3237afc1e63076ffba6a89ed9d4fec8df9606feebe68b2de092fa36
Formbook
96de11fc0f948fc3039f297475ba8abfcedaa7a9718634359286fe49156cd216
Formbook
a002227c2d9227812bbfe3c57117f2c5d3bc57b9930158aacdf0da14a2807089
Formbook
b0f1a1bfefa0359f8ef181219a761192e70a2d8ec0dd07692ffe24814f50c11d
Formbook
dfa0138818e4f998337af94d5fea30fc920237ffba320fe5acd7af469db0c4a8
Formbook
+ 15'199 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:amdf rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220427-lbw18aebgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
672d7f465410e694e1440c445c7e327cc45b9b85b7cff8cbcee1037f462da326
MD5 hash:
f585b0d027c6b12b0fb8f1b9854e796d
SHA1 hash:
14cfb5cb7dfdd5d87a4cdace85b771d17e3a6dac
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/83f9443c-e3c1-4ddd-afb5-00838a222c25/
Parent samples :
2c9a7034a9d5463d3c4e91dd5b652c91e906864b1731933397b41662bf85d0d2
483ed9970fb8cdee1c36545135b320e732229e99a78f8feda9c73e149c5c72a9
3859da72cd34fc9b4ebe2ff100a3d888845836f4945bf2bcdfb83d5d0d16508a
87c14083b7daa3b4e8dd2575bc4a5df20697a3a1a7782832005934b889267f9e
68e265f91b0d490b77c839124d7a851b7a2df3581e5e9a10cdb444917114d12c
05aed53e8423caa4f5e47b2a77e58a1a882e42c03fa9f99cd88ce07d8da3aea2
c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66
e677af4720b0b6402c8b677265968541dfa6b57f12578f7701ac840bd1f0889f
81a32d1f1e2cdaad0988595ceef9af6fb40e7f2f7d08d7794a4fa7e1b09d37e8
6c3c0920a4c885197c0a9a51c1c3ffbc7e8d07548b9cf3c218a564ca720e74b7
07025c10612dd161baa9c67fa04da140aa590c95b10e0079be1fbabcfeafff42
SH256 hash:
92fc621e886ad486195efe1b074a5186c27599e3dd4d71c72cae3078b8660ae2
MD5 hash:
e80503550a2aa077f62f09c7dc6be7e4
SHA1 hash:
f93e86c149eac50b611a1f9a7b59f5d81026262c
Link:
https://www.unpac.me/results/83f9443c-e3c1-4ddd-afb5-00838a222c25/
SH256 hash:
7403badec1d3d7fa7af3a3a4d2bc0330f3948ea91f96df33083a5c7f9076934c
MD5 hash:
08ccd3c3837fca2f73ae71e483975b02
SHA1 hash:
bd4101c4c165d008f7a724836b2bd3b017bdd14a
Link:
https://www.unpac.me/results/83f9443c-e3c1-4ddd-afb5-00838a222c25/
SH256 hash:
97dfa7be5e81a139d9b4381f0dc6f97ead13bb2efc58343ff5c09dc8b2c8632e
MD5 hash:
384047f0ecf1aed4944821be5b5c99df
SHA1 hash:
78287cf125fc30140dfa1d24a68962cf6ca5fc9a
Link:
https://www.unpac.me/results/83f9443c-e3c1-4ddd-afb5-00838a222c25/
SH256 hash:
c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66
MD5 hash:
8b9f6452403c23ac64c9ddd3868d8dfd
SHA1 hash:
cc02b0e247e89dfe178a85febba67ee2569e9a97
Link:
https://www.unpac.me/results/83f9443c-e3c1-4ddd-afb5-00838a222c25/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4322964e508/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c4322964e508c77509de409a50d36630fef838e38e0c0f999efe004d95032f66

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/267193/

Comments