MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259
SHA3-384 hash: f877991e0778336f0d91338e45086bff3ffee13478ee19e69a8cb9474f513a1d8de86116a7575acfa4e07acc08677814
SHA1 hash: 9b49ea9ca369f043ffe7a3a81cfaec9036f44568
MD5 hash: 0c0bb83c0f44eeed2bfcd669bc2caa47
humanhash: one-arizona-cardinal-double
File name:OST VGM.XLSX.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:642'048 bytes
First seen:2023-07-27 10:14:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:tf2iN2GULrB3oMR3JoU/ZQzc+fweTx84K5IPuv32NmN226cDunOTCEH:tf1xULrVJBD/i3f7KqWnU26cCnOuE
Threatray 3'548 similar samples on MalwareBazaar
TLSH T1F1D41221A6ECAB5AC93993F42AD065000BB2ED1F6635C3591D9E30EB9F23B3116D1F53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OST VGM.XLSX.scr
Verdict:
Suspicious activity
Analysis date:
2023-07-27 10:23:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/121bc1d7-24b8-4529-910a-b6bc17311c2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434752/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64c243ab2a568ab215b8d2d0/reports/8d4249f5-3aa1-4e20-8823-ad3489772275/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0148a36f-855c-4748-bc4a-a290cbd2d50e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1281060
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 00:38:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4suplervt4nt4d3m6ecmpr3t5vocjgqcx7mno4helgqhjkd72jmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2
Formbook
12b2b7e0563a96b7a8d1909d7e43d1b78445a99097242616bc141ba4a4c38449
Formbook
6c5d418831206f110eac092468ea4197e3253f3350e48b0986e130995bd46451
Formbook
79ae6681fe6fdf1d7810a3bf37811b7c49f706ca0f4c04ab719633f924f727ad
Formbook
8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a
Formbook
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae
Formbook
ab0646fd7bf8dece42e0c38e843fbe4cbb9c18e0e98cb26cad14357fde20ed4a
Formbook
b69a68bd6dec2421c2f725dd9fd35f3923f81f1549a936a55d8d3a978362b952
Formbook
be0791f3e56382436345ae0413249be5e66c0a593afc1c83ab57d8bbae61d4ba
Formbook
e8120ddaa86fc56ab083a38b22ca366809e5d1196f3c10175bc745e3dfd15750
Formbook
+ 3'538 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230727-l99d7sea48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
54f9414a1c215ebe3c23b15820e3bc62ffe99ad6f8086c46c4e8cbb3e5835c00
MD5 hash:
3927545f5bfab3307aaf7161f3d97609
SHA1 hash:
b841214459fe4eb8098173454f851958c2246f2f
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
SH256 hash:
2aefcd2f7d70360fe6806e89039e6bc1c828cb47ce6beafda1908e66f9fa5f84
MD5 hash:
da287f7e6173f085084066341b84fe07
SHA1 hash:
63d44456709e3bb5abb38626777efc15f274277f
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
SH256 hash:
aaa3dded1301310aaabd3b70373d6a440f0b99445769e1695378afaa8d46b13c
MD5 hash:
85820d89b093538fa6ca4f9c2055c21d
SHA1 hash:
705d2cd775d6965e9523d2f89b53f4caa40ea930
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
SH256 hash:
b9a20d6a037273d22acfef040a5ee5eaf300f8ed3cfa174ef8a7c400b3753105
MD5 hash:
f2ddeb90f1d02f7f07a7d4784907f037
SHA1 hash:
03ecca6a926462f1559c29e0d59dd99ed62b60fa
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
SH256 hash:
e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259
MD5 hash:
0c0bb83c0f44eeed2bfcd669bc2caa47
SHA1 hash:
9b49ea9ca369f043ffe7a3a81cfaec9036f44568
Link:
https://www.unpac.me/results/d885cc2c-633c-48cb-a05e-e16f687f20d5/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4a8f592359f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e4a8f592359f1b3e0f6cf104c7c773ed5c249a02bfd8d770e459a074a87fd259

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434752/

Comments