MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94
SHA3-384 hash:	d3a7e382c6248ac9348361942f9b37bf2efab2777801cc2b32e1e8d176b0a2d725ae6272a1904bc59ea6e007cea600f9
SHA1 hash:	05026244e76159c2a5fc818df54ee40961b9d0ae
MD5 hash:	d9b2e079467c40c697ad9d4e9d78ec3d
humanhash:	william-saturn-seventeen-three
File name:	Notificación de transferencia.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	847'360 bytes
First seen:	2023-06-13 10:15:48 UTC
Last seen:	2023-06-13 10:45:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:DgG1tCueig85yfyQVWQrQ3lsyb4Q4shFy:DgqtCDiHlQVWy+bbasvy
Threatray	2'560 similar samples on MalwareBazaar
TLSH	T114050140ADA94B27E67AB3F94F50327033FE9ADD3855F38A1D87B4E59468F090A42D07
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	ESP exe FormBook geo

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Notificación de transferencia.exe

Verdict:

Malicious activity

Analysis date:

2023-06-13 10:22:50 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/ea980a5a-242b-43a5-a0a2-3f02012dfced

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/398210/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2098.32064.29486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Creating a process from a recently created file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/648841e6c6414862d206d963/reports/800d6734-434e-4ff7-80ea-e9df378b2794/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fb16a0a-b26f-4537-ae58-67ac743c637e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253510

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-13 10:16:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bzzeuuis5wi7z3xqmcwhnvuteebaonfpwkic4ujlfrljqer7v6ka._file

Verdict:

malicious

Label(s):

formbook

Formbook

6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a

Formbook

841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410

Formbook

9f7df9aa07cfd95be6465d8234bae2a1332e7627932b0b345962a766a696212d

Formbook

a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75

Formbook

a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016

Formbook

b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a

Formbook

b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0

Formbook

e40bff3bb093b2bdc11d7e1d5a990db99b3a914dc74a1aec2d28662da10cde9b

Formbook

e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b

Formbook

+ 2'550 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ga36 rat spyware stealer trojan

Link:

https://tria.ge/reports/230613-mas4lsgc5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

99ff6a37c82585c6d2e90f20e415fbb8764e9df8bca8652a7d9a737deca7377f

MD5 hash:

ebc66d0c2c7e09625cdd91510a42e3fa

SHA1 hash:

79a9b8db3e511aad276601fa7f90d34b7decfb91

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

Parent samples :

e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
12827a41d1bccb41a635ea9837a5eade7efadf556069b2bd734dbbfe7fa408bd
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410
9f7df9aa07cfd95be6465d8234bae2a1332e7627932b0b345962a766a696212d
0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94

SH256 hash:

167f78f3a3232719fbabca3aa6d7a8b22a45be60b12c2444f1bff5d47405e7c7

MD5 hash:

1096b6e7e784307509704a6a7ada826a

SHA1 hash:

c40c63cd7b065723d80dd7702755da0be3eb7228

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

SH256 hash:

ad84297b692fc6c7eea956d522fa100b93704763956526ae5c02c675f56de1fe

MD5 hash:

6396d5b2f9853e18b1bb930a8d83ac75

SHA1 hash:

a60f66768d51345a1e96ab5d962b1dd242b46bd0

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

SH256 hash:

c243a8b9074278bd0b29b14512e18cd58d4152a45eb53ba9129f1aca1466fbf0

MD5 hash:

5d9e2eb1fc01f6d79ab2537eabc3dcbf

SHA1 hash:

6e65ecab502343b4881272542359e1b955351122

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

SH256 hash:

13e9be0aba1cef3943954d2a204472356721075f8ecbfe565a476aec8346fdc6

MD5 hash:

4ce78b41df3f0bb4dff20793bcc9f78d

SHA1 hash:

4de22b09a356224b9916836ba2ee181d369d5f4f

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

SH256 hash:

0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94

MD5 hash:

d9b2e079467c40c697ad9d4e9d78ec3d

SHA1 hash:

05026244e76159c2a5fc818df54ee40961b9d0ae

Link:

https://www.unpac.me/results/26b33c20-ce9f-4254-9242-eabe2b1116ae/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0e724a5112ed/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/398210/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample