MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10
SHA3-384 hash: b03b54e55a7185abd57c1604077f34530056f82473bc3358b4cf590db3a5ac4fabcbad810a3193582c5df2d3ed15bc8d
SHA1 hash: d5ed0e54b839a3fcea2a912461f71aa3069eefde
MD5 hash: c8bd2fd6e2e7fc24eada83b44336f570
humanhash: hot-delaware-montana-jupiter
File name:Delay notice of M.V. KANWAY GLOBALV.2213S.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:1'094'144 bytes
First seen:2022-09-28 16:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:I1S9JZiaRy0nJoOT5g7QD147cdgvuSp4O1BfX+FJ2SIv:IIvKkzTq61GcmxpnQJ2S
Threatray 15'419 similar samples on MalwareBazaar
TLSH T1F435F12317EA4B07D02577B884E1D2B6A7AADC11E063C78B5FCA6C9FB05A755C720363
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314453/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6334783057a9522077cc39b4/reports/f755d1b5-e627-4594-a584-808c71e2cc1a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57832d53-f69e-4e5b-bf16-477c5d7bf691
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079409
Signature
.NET source code contains potential unpacker
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711964 Sample: Delay notice of M.V. KANWAY... Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 8 Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe 3 2->8         started        process3 file4 23 Delay notice of M....V.2213S.scr.exe.log, ASCII 8->23 dropped 11 Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe 8->11         started        14 Delay notice of M.V. KANWAY GLOBALV.2213S.scr.exe 8->14         started        process5 signatures6 49 Modifies the context of a thread in another process (thread injection) 11->49 51 Maps a DLL or memory area into another process 11->51 53 Sample uses process hollowing technique 11->53 55 Queues an APC in another process (thread injection) 11->55 16 explorer.exe 11->16 injected process7 dnsIp8 25 www.sideust.com 139.162.68.120, 49700, 49701, 49702 LINODE-APLinodeLLCUS Netherlands 16->25 27 fwd3.hosts.co.uk 85.233.160.24, 49696, 80 ISIONUKNamescoLimitedGB United Kingdom 16->27 29 3 other IPs or domains 16->29 31 System process connects to network (likely due to code injection or exploit) 16->31 20 control.exe 13 16->20         started        signatures9 process10 signatures11 41 Tries to steal Mail credentials (via file / registry access) 20->41 43 Tries to harvest and steal browser information (history, passwords, etc) 20->43 45 Deletes itself after installation 20->45 47 2 other signatures 20->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 07:03:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
5 of 41 (12.20%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tslr6ezb577oepbui4eixpnv52pjua2ccx2br3uobp7iqjmxqia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f
Formbook
649e67dfa9829d849ab0e2e5dd9c40702dbb89cf5a8a02ad111c5f2df79c411f
Formbook
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
Formbook
7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
Formbook
9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b
Formbook
ba162d7df1cd1beb851a29a69054491959d8ee6ad27f18b3e9dc57a3f6df1122
Formbook
d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
Formbook
e7104f2261f0eac61f2f5c3e316f32475d10b1e4a0df6323f400d1446807d4a0
Formbook
f281fed414237c484d936802d8bc112995ba6df5c9485207a284b8fc31edf2e6
Formbook
f5e4fe8ba1f482c650dfe0122078475da2330edf2a0bab3357ff071d27fa1a36
Formbook
+ 15'409 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:ruwn loader rat spyware stealer trojan
Link:
https://tria.ge/reports/220928-t4ss9shffn/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/382914e5-e338-4046-a478-6b861f7a93c4
Unpacked files
SH256 hash:
f02f8561d0003cfb179b017afc232c01c09c3699d31b1098487762811d825d57
MD5 hash:
e7b5905597ae4cba376b23c590b066c9
SHA1 hash:
cd85878c93176eb0ef39d009ccc30082afaa06ee
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
Parent samples :
e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10
2fc9bef4467f94362f4860fa9f501640b8a0964154fe5f2d8200f3d67b825b79
SH256 hash:
5488983c524471fa12f1c7acf66fe9b9b52c30d030e5b465267e9db2273f3a0c
MD5 hash:
468060bba5ca2e24b401582057937574
SHA1 hash:
fc9e42a1a217410494b7757662935517ffdc25e7
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
SH256 hash:
1b8835c90b8059d466218df4d2a0eee759a1dfcf39e17b2d1ccbf7d65697ee97
MD5 hash:
bbef479b2ff646adca6b5c0cfa55b866
SHA1 hash:
0ffb33073e0d4e28475c2572bc9925157788bf63
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
SH256 hash:
d90700917542d711bbb0e897238a1e0f820a15072f3a4e31ed6c777f0f10e4c9
MD5 hash:
840343d963cfea96546f89b9394aea64
SHA1 hash:
09866fd10aba64e040e4e930c1b8d16f45a70c9f
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
SH256 hash:
e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10
MD5 hash:
c8bd2fd6e2e7fc24eada83b44336f570
SHA1 hash:
d5ed0e54b839a3fcea2a912461f71aa3069eefde
Link:
https://www.unpac.me/results/31a52f28-7aa0-4ff6-8ecd-c9f67efd674b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e4e4b8f8990f7ff711e1a238445dedaf74f4d01a10afa0c774705ff4412cbc10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314453/

Comments