MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
SHA3-384 hash: feb336cd5196b5e21f9bb1de108813820d0b9379221dc560be5d0894f2d92547b5b53ff6a8c72af5874b4a5cfd55d3fd
SHA1 hash: 1f8a8674e8425ff3edcc377f12569890f96c734c
MD5 hash: 248459e9a88f59cd50f7f3c2a6b849bf
humanhash: speaker-bulldog-blue-east
File name:f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
Download: download sample
Signature Formbook
Create hunting rule
File size:235'008 bytes
First seen:2023-10-10 11:21:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:tloZM+rIkd8g+EtXHkv/iD4ejXlbiAfbo3xUyzzq1eb8e1mTi:voZtL+EP8ejXlbiAfbo3xUyzzqEZ
Threatray 11 similar samples on MalwareBazaar
TLSH T19E346C5933B88B17E25F8BBED5B1158F87B1F103E90AF78E0C8895F82411B42E949E57
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
Verdict:
Malicious activity
Analysis date:
2023-10-10 16:05:38 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/7975a12f-32ed-49a5-8289-6f3340f76599

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-9952790-0
Create hunting rule

Win.Packed.Msilzilla-9955952-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
Creating a file
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Adding an exclusion to Microsoft Defender
Changing the hosts file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95f8006c-4860-47e4-8366-54b301522b0a
Result
Threat name:
Blank Grabber, Umbral Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322812
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Yara detected Blank Grabber
Yara detected Umbral Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322812 Sample: UxFJn80MIy.exe Startdate: 10/10/2023 Architecture: WINDOWS Score: 100 42 discord.com 2->42 44 ip-api.com 2->44 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 9 other signatures 2->56 8 UxFJn80MIy.exe 15 16 2->8         started        signatures3 process4 dnsIp5 46 discord.com 162.159.138.232, 443, 49717, 49718 CLOUDFLARENETUS United States 8->46 48 ip-api.com 208.95.112.1, 49711, 49714, 80 TUT-ASUS United States 8->48 38 C:\ProgramData\Microsoft\...\Alzw7.scr, PE32 8->38 dropped 40 C:\Windows\System32\drivers\etc\hosts, ASCII 8->40 dropped 58 Suspicious powershell command line found 8->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 8->60 62 Self deletion via cmd or bat file 8->62 64 6 other signatures 8->64 13 cmd.exe 8->13         started        16 powershell.exe 21 8->16         started        18 powershell.exe 11 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 66 Uses ping.exe to check the status of other devices and networks 13->66 22 conhost.exe 13->22         started        24 PING.EXE 13->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 6 other processes 20->36 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 16:29:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6s3bylbunlgta5djtgijolso7cohqgab2q4rwe26bfcxsckn47ya._file
Verdict:
malicious
Similar samples:
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71
Formbook
639a212bfefa5d7da9a6a25a583c205e68fbd87d99cf18de3d03575fcd4212a1
Formbook
6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8
Formbook
7e9fc9546b1c8892e6ddb754bdea3a38a892c186c8f6969e2780d3edfac6eb46
Formbook
9847293a0884f10d049ad0f0dcd5dd09625e85effe5f00f33ab42c09be313836
Formbook
a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
Formbook
dc1fac12b351fb002bdb989e60717c36e2bd50c6c96b449fbffeb347c47622a5
Formbook
f9d1e0e6aee3b5c3867d9a3f09cff6cd1bfddd181eca8459981265059bb71bda
Formbook
+ 1 additional samples on MalwareBazaar
Result
Malware family:
umbral
Create hunting rule
Score:
  10/10
Tags:
family:umbral stealer
Link:
https://tria.ge/reports/231010-nf1ajsda6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detect Umbral payload
Umbral
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1115957523032318044/mGxbpCYnP4RV2GG-pwDh863-_wBVcHMZ3equQyiqt-XHXh1DZvd0YqcfBF9oNobCkjdG
Unpacked files
SH256 hash:
f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0
MD5 hash:
248459e9a88f59cd50f7f3c2a6b849bf
SHA1 hash:
1f8a8674e8425ff3edcc377f12569890f96c734c
Link:
https://www.unpac.me/results/963bc2c7-3a18-4d50-b377-dc0cc2392d21/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4b61c2c346a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4b61c2c346acd3074699990972e4ef89c781801d4391b135e094579094de7f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments