MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9
SHA3-384 hash: e6924f097290354fc980e25965d0479336dd0037fdd2a2455310a22f2423a921add0e82322224a5d27e7c75c641149a3
SHA1 hash: 0fb5bf75128f3958f6136fb080f52a5b4d4b7d61
MD5 hash: 1bd37091a9130ee6baeabade878c19a0
humanhash: burger-johnny-foxtrot-victor
File name:Packing List.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:741'888 bytes
First seen:2024-12-09 07:29:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:WquErHF6xC9D6DmR1J98w4oknqOOCyQfNVpEpRmSoYVPzbhMclhnrpS9vLBd80Q:brl6kD68JmlotQfTp8RmNY1BMOhnEhVW
TLSH T103F4238909C6DC75D55972708439DC685B7478329E88BB5EC368E21FFC32303E86BB69
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Packing List.exe
Verdict:
Malicious activity
Analysis date:
2024-12-09 07:46:49 UTC
Tags:
upx autoit
Link:
https://app.any.run/tasks/ed5e7c21-4569-422b-b48d-4673d8d4685b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.13741.22542.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67569c91469da547b39781c9
Tags:
autoit virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm autoit compiled-script evasive extrac32 lolbin microsoft_visual_cc packed packed packed packer_detected powershell upx
Link:
https://www.filescan.io/uploads/67569c89be1ef5b25ae073b5/reports/2a71b039-5620-4065-a56f-eea7cb1d6b26/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9477c555-908a-453a-b618-99c7f61be068
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1571278
Signature
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-12-05 03:29:59 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5awutjzifw5ys3e6lurin4wfk5ptnvjtbut2sqstfym4agjy2g4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_036
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/241209-jbtvrazrhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Verdict:
Suspicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/0d50c850-3a01-4998-a241-242e13bfdc72
Unpacked files
SH256 hash:
64045f1399264db680aebc38aa70205ebb68d620cfbe6c978348ec851278957b
MD5 hash:
d77626213fa962462cdac15ab4b432dd
SHA1 hash:
abb017cc4d20952089bf6201a9e2c76cf1efcbec
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e91e5756-3f9c-4a65-ae7c-89d1e4674a27/
Parent samples :
0ea2f7230b7cb4a06bc6810e647a96d445962148694b45d282d551402d8f52db
e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9
SH256 hash:
3090dd9fcc28d23de00ccbd3ec8a634fbcb3ca181ddad861cb4e380b48751d55
MD5 hash:
050c79b85db8e3efc6f6fde4eb22fb5e
SHA1 hash:
68edbb23139d68a7b4f9655159be7bac4f64e751
Link:
https://www.unpac.me/results/e91e5756-3f9c-4a65-ae7c-89d1e4674a27/
SH256 hash:
d49b25dfaec5b9aa8eb19de356122ea4c80ee55cd2b3c4d18c24f9be6328fc99
MD5 hash:
c17d3184d7eb4e47adc383af2f3c0024
SHA1 hash:
c5035f870c4f4abe303ff55a406a5c0c5a3da19b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e91e5756-3f9c-4a65-ae7c-89d1e4674a27/
SH256 hash:
e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9
MD5 hash:
1bd37091a9130ee6baeabade878c19a0
SHA1 hash:
0fb5bf75128f3958f6136fb080f52a5b4d4b7d61
Link:
https://www.unpac.me/results/e91e5756-3f9c-4a65-ae7c-89d1e4674a27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e82d49a7282d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e82d49a7282dbb896c9e5d2286f2c5575f36d5330d27a942532e19c01938d1b9

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments