MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
SHA3-384 hash: 5bf726dd97c09d678569daf68cfe5b242579d00d7f8a7659145b0380a656296f74a0ae73d5ae0578b81c0f7f865db016
SHA1 hash: 7339a3ae5bd3cf2df9a5f0c3da5b09f0d59ed574
MD5 hash: 6c98ae2659f95e0bee6e8b4717113943
humanhash: bluebird-steak-eighteen-kansas
File name:f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
Download: download sample
Signature Formbook
Create hunting rule
File size:962'048 bytes
First seen:2023-01-05 14:35:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:rcr2iNjoi/RQbUa4krXhPjiGhe4sF+yPKfKV8LIySiPZB6LByqzNMPtgURVrDJnT:4r1Wi/Tw1PjiGhzPyPKfKVtwB6LBI
TLSH T1D115F72F4ED755D4EE3747F472459BB83DA2BB81A8615C0968A0F07300BC53DAB3EA64
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
Verdict:
Malicious activity
Analysis date:
2023-01-05 14:37:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b6e9f9de-17c3-48fb-be29-a77d93217ec6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349709/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b6e053b9b1c17375207940/reports/f3d21395-0cc9-4df9-a24c-10494db18ec7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00267c82-f17d-40d9-ab7f-afcd2245d02d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145708
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778442 Sample: 59FdvC43IB.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 8 other signatures 2->61 8 59FdvC43IB.exe 7 2->8         started        12 TWuzNKLOAqq.exe 5 2->12         started        process3 dnsIp4 41 C:\Users\user\AppData\...\TWuzNKLOAqq.exe, PE32 8->41 dropped 43 C:\Users\...\TWuzNKLOAqq.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmp36CF.tmp, XML 8->45 dropped 47 C:\Users\user\AppData\...\59FdvC43IB.exe.log, ASCII 8->47 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Adds a directory exclusion to Windows Defender 8->71 73 Injects a PE file into a foreign processes 8->73 15 59FdvC43IB.exe 8->15         started        18 powershell.exe 19 8->18         started        20 schtasks.exe 1 8->20         started        53 192.168.2.1 unknown unknown 12->53 75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 79 Uses ipconfig to lookup or modify the Windows network settings 12->79 22 TWuzNKLOAqq.exe 12->22         started        24 schtasks.exe 1 12->24         started        file5 signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Sample uses process hollowing technique 15->87 89 Queues an APC in another process (thread injection) 15->89 26 explorer.exe 15->26 injected 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 ipconfig.exe 22->34         started        36 conhost.exe 24->36         started        process9 dnsIp10 49 recipecity.quest 162.241.123.152, 49699, 80 UNIFIEDLAYER-AS-1US United States 26->49 51 www.recipecity.quest 26->51 81 System process connects to network (likely due to code injection or exploit) 26->81 38 cscript.exe 26->38         started        signatures11 process12 signatures13 63 Deletes itself after installation 38->63 65 Modifies the context of a thread in another process (thread injection) 38->65 67 Maps a DLL or memory area into another process 38->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-08 06:42:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sexukrgbo3k6lefgjylb7rmlws7qqdgriri6yd7fljcvgvhqf7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:q4k5 rat spyware stealer trojan
Link:
https://tria.ge/reports/230105-rykjlacd24/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/25214baf-4454-47ca-a188-c795b04d8763
Unpacked files
SH256 hash:
dc167c51e5b18a4f3082103c883acd0e2731355790b162fa028c464529c6c8fa
MD5 hash:
59206528ecaad5375d547e8a9c2616f6
SHA1 hash:
69fdb679ed8157c39455350c9012831d5c10f682
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
Parent samples :
efe299573660e349b6169b099708c6794d5b593095b9a81ac5000a9b18936252
987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
fa6c3d318b33c9f659b283d02ed355e6c82988ed44d5f7458f043ed6d7997d9b
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
SH256 hash:
894053c4ccde8e981818530f3890240aac621a745ded33c058496562181a2cb1
MD5 hash:
987b5b7b10457a0685a2b3e64fa3398c
SHA1 hash:
3be6f7b24b17be260e215e3b80a57d59c8d7e4c6
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
SH256 hash:
091aa762b307b5d398e595aec0ecdce3f68df81a152d1a955d068bc6b6af073e
MD5 hash:
b24cc923bbe3835624dfb99e12975ab1
SHA1 hash:
8e7ea3b0c3b254f33f29aa7f2b18ba038699f90c
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
SH256 hash:
c037f517ba1608be0813ec191be555aad535d47da6cc144530266cf8be630bfe
MD5 hash:
84a48f5b2f292581b25237c310a1f92f
SHA1 hash:
62ab1b5e17e74f0ffcdd1c76e7e96bd5405199b8
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
SH256 hash:
f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e
MD5 hash:
6c98ae2659f95e0bee6e8b4717113943
SHA1 hash:
7339a3ae5bd3cf2df9a5f0c3da5b09f0d59ed574
Link:
https://www.unpac.me/results/65568098-7e59-48ba-b3f8-6a63f1e21979/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4897a2a260b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4897a2a260bb6af2c853270b0fe2c5da5f840668a228f607f2ad22a9aa7817e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349709/

Comments