MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc
SHA3-384 hash: 50608ed5730516dbeb6fb4f4f5bcaac68d7302d0468958afeabe1447b02bbb707142128a9a8eb44258587f54088de5ba
SHA1 hash: cbba228288ee101662f2c6a7c38657c988599938
MD5 hash: 80616f9cfa4570ce8b3b97b6f6c2bee0
humanhash: seventeen-ceiling-montana-charlie
File name:80616f9cfa4570ce8b3b97b6f6c2bee0
Download: download sample
Signature Formbook
Create hunting rule
File size:1'177'600 bytes
First seen:2024-04-30 06:46:20 UTC
Last seen:2024-04-30 07:32:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YjU00pFjzc/AKBJORsLQPF5F7AhDbEKIkHKvKcnenugCUlEr6GEUF5PeR4j29J4J:m0s3BJBeFSWKSenugC9SiVMoC6zbP
TLSH T10E457B5A37E5425ADDBA423F60DB48397B75EC062323E70F0386BA7A3C53748D8614A7
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 06:47:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80a499a2-41cd-4bed-b9ba-17f6cff9e9b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ba36ea9-e71d-4f3d-83b8-d5d4120f5eb8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433891
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433891 Sample: n5CCcrkB0Q.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 28 www.yamiyasheec.online 2->28 30 www.vavada-band.ru 2->30 32 19 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 10 n5CCcrkB0Q.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 n5CCcrkB0Q.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 RIByVwlzErSRFUWstTWMysBtNIbbP.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netsh.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 RIByVwlzErSRFUWstTWMysBtNIbbP.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.quantummquest.top 203.161.50.127, 49724, 49725, 49726 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.whirledairlines.com 216.40.34.41, 49720, 49721, 49722 TUCOWSCA Canada 22->36 38 10 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 05:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mxea3f7nciwie3pyiu36wtre763wm7f4xvwg32pzig4xopw6xoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240430-hj7adafb7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
0794d06e1f9d7d100ff772b43857cb72ce176770e7408aa6ee7828e897d33176
MD5 hash:
42ae57337d9c6325b3619ef4bdeb56b5
SHA1 hash:
b23f689f62c41ae35e7893e7fb273e1e312d62e3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
4b6ddecb4cdc7445fa5a0b99f853d56f7b9f75d792f92611382324fec3e2e59b
MD5 hash:
12aa99d1f0ae5eb9e0559dd283b24c71
SHA1 hash:
9614dab65146cc8bf3a75918a09e6d60569d7b37
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
ee23cf31fa7e30161a7db123cbaeb6e8e63fd3b5bbb5ba2faaddf659566d01d9
MD5 hash:
18fb06e321fca09ee6819224276d175f
SHA1 hash:
92575ae00e38c48fd71e39fdf5fa3d064c4282ce
Detections:
MALWARE_Win_DLInjector02
Create hunting rule
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
0b83b0060ed027111496aec08b60ec33ffebe925cc23f391db743c3dab506527
MD5 hash:
201ecbb2cec5d64aa2f0f9a7ffed48fc
SHA1 hash:
fc6131c66b8a4514b0203568dc3fcefd48db4582
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
a701226de06c490210777fce58227118a551614be8d29bc533e84380b7255e68
MD5 hash:
af859cfc3cfefe91999824232eabe47f
SHA1 hash:
e0af96d682bd3f533a54b97a6896a645405346e4
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
4c2eae8e341e6313414b1b4131a826519ca287da06390ac91f5acde004031b8c
MD5 hash:
9dbde76424199bedefb9e1dfc5872686
SHA1 hash:
df04b8dc662c7f518a8b00423af164a2387e551d
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
82971446217a3a6d47b27e2bad07e1f5ff9e3a8249d3ac12c88e3d5854da3fd8
MD5 hash:
de44456e731345aae9073dc850f8fa66
SHA1 hash:
c7077a489e33c173d4bced8bb758d508c10c1461
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
167e335945d5d8afe214b48c4cc51ffb763610afef3393f3f30e1037d51d60e7
MD5 hash:
9b2afb8207103ab2a72657d5ca7dbadb
SHA1 hash:
998fe0d2cc1b9fc57badacf809894c0c8087a11a
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
e6b3d70b3b1baf0ea4f1454a5bbb0a6e29c03d041ba19c1de6f0cccf6e03009e
MD5 hash:
9986416cc279cfec93c73401ea4a045e
SHA1 hash:
80ff1fdb67b20a00419c96aa3884ec489bd67583
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
SH256 hash:
e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc
MD5 hash:
80616f9cfa4570ce8b3b97b6f6c2bee0
SHA1 hash:
cbba228288ee101662f2c6a7c38657c988599938
Link:
https://www.unpac.me/results/105510ff-e9cf-4d2a-8fb6-b7aa798622f5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e32e406cbf68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e32e406cbf689164136fc229bf5a7127fdbb33e5e5eb636f4fca0dcbb9f6f5dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2832420/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-04-30 06:46:22 UTC

url : hxxps://universalmovies.top/teebin.scr