MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1
SHA3-384 hash: 107aaacd7c76a572d401debe2bffe2380772f1fcf29d75644d00b09b01cc2ca3cef0b2bc4d5b5490fbf1053acbd4608b
SHA1 hash: 030e5beded6ba62db2bfc9862a83f5a6c6e29ca6
MD5 hash: a69f3b88a6774d10b9b0bb6c48b196e7
humanhash: fix-oranges-stream-snake
File name:P-Order #102721.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:535'040 bytes
First seen:2021-10-27 04:03:17 UTC
Last seen:2021-10-27 05:24:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:eY6YpD2FXImLrfqldiQ+vvgFLKBsD1wf9KWj0hxD2Hn8mWFMLppQylXQYdMkfU:1WImHLQEgsowf94xHmZplxQ+H
Threatray 10'846 similar samples on MalwareBazaar
TLSH T128B4E09163B8C806D6B907B0D5B4C4F08739BC25D651D61FD8E63CDF3A72782462AB2B
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200379/
Detection(s):
SecuriteInfo.com.ArtemisA69F3B88A677.28202.15098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/6178cfb59a5a1e91c5d6436c/reports/48ba3faa-d01c-4dad-8642-b4c5e565ddbf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57899dbf-44f1-4c46-8416-ecc5c90bcb66
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877462
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 04:04:06 UTC
AV detection:
6 of 44 (13.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t2hrn6nmwglgg6bdexbntgbkcovkktsfgus72q2hrrcj3tvsgqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
49d82a6b19fe35893b419696bace48db225826ccfa73da61ca22f59f7f045406
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
9f59a9c7a38d8031c5b0829da6c4c10951b1de67adada4f567449d4b6ea8d83c
Formbook
a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d
Formbook
c12bd972fbf3301e40fa75c3e295a8bd0233bf1f5fa100e79ab7f6755f7b6788
Formbook
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
Formbook
cadf6d6a91c8c4e8576468e393638eb7ee477490c5a8a7d0fe9e919b6a6d93ec
Formbook
d6a8c5f4120e3be2e6d676d808dbdadc074f811398ac5b03878baba7275137d4
Formbook
fa5502396dc7ec0fc5508d901eb8b3e555558cdbaff338a1911db0edd4563b78
Formbook
+ 10'836 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cr35 rat spyware stealer trojan
Link:
https://tria.ge/reports/211027-emykvsafa4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.tllyou.com/cr35/
Unpacked files
SH256 hash:
2d96b7958904c0579e2cc69bc39cc4cee8d66476fcc47964bd7cef6996dc1667
MD5 hash:
a8a33d22dc1ca917d7a20d0497a5e303
SHA1 hash:
fb946053ce186c6c3574190f73d05fb40f7024e8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b850d92a-deeb-48d9-9708-f001c7b5a790/
Parent samples :
42342c618988f3ce6d4f350da12348be8033ea29d17bb6bb4f6be6e02e58328a
e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1
177d82d6a53494bf58a577731d6a5c65118677114dedd45176b5d34a559cceb6
SH256 hash:
b1ba786785f007a41caed44e35932b8bc9dc4766087ece18c94ec175c4702d92
MD5 hash:
5a2796ce8a8e000297f8c9c240fe667f
SHA1 hash:
77e8f3d17f61780392619098c0bf8072dd2baeb2
Link:
https://www.unpac.me/results/b850d92a-deeb-48d9-9708-f001c7b5a790/
SH256 hash:
4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35
MD5 hash:
1b6d3d31872537cc611ff4322ffc1099
SHA1 hash:
0108adafb207ce044bfb3f7933da45594c545bee
Link:
https://www.unpac.me/results/b850d92a-deeb-48d9-9708-f001c7b5a790/
SH256 hash:
e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1
MD5 hash:
a69f3b88a6774d10b9b0bb6c48b196e7
SHA1 hash:
030e5beded6ba62db2bfc9862a83f5a6c6e29ca6
Link:
https://www.unpac.me/results/b850d92a-deeb-48d9-9708-f001c7b5a790/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e4f478b7cd658cb31bc1192e16ccc1509d552a7229a92fea1a3c6224ee7591a1

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200379/

Comments