MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790
SHA3-384 hash: 277af944374e69dd122f84bbdffbb6257e3e34f5e37898d831d46ba26ad6401de619863a043b0bf67f97bcc16e7ab6b8
SHA1 hash: c1c6a4c7dc94aa11b62cc38ae3ff8138c8e190cf
MD5 hash: e63842f37557f942b23ec47bad071a7d
humanhash: nebraska-may-chicken-blossom
File name:JUUoPkN.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:313'856 bytes
First seen:2022-11-24 14:53:01 UTC
Last seen:2022-11-24 16:29:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:8UIP92E9brBPKVtjT5Kf0DIT614qUl+SpyhGC9u68Yn:hIF2E93BPkj1KXpqUs+3Cs6
Threatray 304 similar samples on MalwareBazaar
TLSH T1E364021A76C9F76DE51C17F1006962402BFFEA593722D32D6CE1A0EC1E1778A6B39603
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30b2c4c8c8c4b030 (53 x Formbook, 41 x RemcosRAT, 20 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JUUoPkN.exe
Verdict:
No threats detected
Analysis date:
2022-11-24 14:54:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62c5567f-f496-4504-8179-2c721fc88819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338101/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.14016.5196.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/637f85505be128ac718eaae9/reports/eadbf599-5c9c-46c6-ac3f-925b8854e30e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/55a5c42b-985b-4173-b279-2e2bb899446b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120584
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 753301 Sample: JUUoPkN.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 33 www.needook.com 2->33 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 9 JUUoPkN.exe 1 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\JUUoPkN.exe.log, CSV 9->25 dropped 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 13 RegSvcs.exe 9->13         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 16 explorer.exe 13->16 injected process9 dnsIp10 27 www.commongoodprojects.com 216.40.34.41, 49701, 49702, 49703 TUCOWSCA Canada 16->27 29 olanger.email 81.169.145.68, 49707, 49708, 49709 STRATOSTRATOAGDE Germany 16->29 31 5 other IPs or domains 16->31 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Performs DNS queries to domains with low reputation 16->37 20 svchost.exe 13 16->20         started        23 autochk.exe 16->23         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 10:47:03 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
36
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzs6zivu5chgatcj4inbxvsg6eyr3h3lkiaysjdkzdp3xov4i6ia._file
Verdict:
suspicious
Similar samples:
07e998bad81bb4b3bfccffc32a3e9aaac2635e98d1454e98eafb3cdb027e93e9
Formbook
330a2e6dcb89bc9d54e8535dc95b1bbea5cddfedcb148f62e2214b46911a9f91
Formbook
3d20a0367451fd840a120186bd5ff7db7ba12221741964dd8cd15322e7c05760
Formbook
6ab70b64db33144464739beb641047bfb8f3d967c3561054d94e8dca267ca3a1
Formbook
db7c8a5a46d62bd318bbe44a2aad834839f33af3883f7d8bf0d3f19cda616a39
Formbook
fcebb36035585f1e54deb8621271ebdf13ed6345f4e6a4e5ec6e1acbb7378161
Formbook
feb004eece446b55f9084f8eb1ef78f3629943b6978a7fcd1179a64d14477255
Formbook
+ 294 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:bpjg loader rat spyware stealer trojan
Link:
https://tria.ge/reports/221124-r9ahrsbe35/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c07b29c2-84b6-4a96-a47c-32752962870c
Unpacked files
SH256 hash:
0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790
MD5 hash:
e63842f37557f942b23ec47bad071a7d
SHA1 hash:
c1c6a4c7dc94aa11b62cc38ae3ff8138c8e190cf
Link:
https://www.unpac.me/results/ff0f1931-b9fd-4e80-a11c-26e42c04e99b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e65eca2b4e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0e65eca2b4e88e604c49e21a1bd646f1311d9f6b520189246ac8dfbbbabc4790

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338101/

Comments