MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b
SHA3-384 hash: 31760d9d12a2fd132c33c35a6fea12be2cb7b01bbf4ca00a4f0c0e6af4e8f7bba4e3b00f12d005030a803552a17361ad
SHA1 hash: f811f24a5bb048e5aaec2e7456bb6597c2408359
MD5 hash: 03c2f941af8cede493cd177fbe9cea96
humanhash: triple-pennsylvania-batman-uncle
File name:Order Specification-887762.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:759'808 bytes
First seen:2022-10-03 06:59:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:1Ov5jKhsfoPA+yeVKUCUxP4C902bdRtJJPi+FqA/vJ1saEauZDa+:1q5TfcdHj4fmbv9VEzNr
Threatray 1'264 similar samples on MalwareBazaar
TLSH T187F412E1125859D1EEBC1372F0EB5D66243ABD7B8EF8250E94CFF65240B3913918A23D
TrID 33.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
33.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
13.1% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 61617383034dc686 (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315936/
Detection(s):
SecuriteInfo.com.W32.Trojan.VORE-2106.1542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40768/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/633a8885c9e2f343543258b6/reports/a48c379b-d64b-4c8f-931e-9f0067a34685/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7d050ad2-13b0-4987-8ff5-075c30fe19ce
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082216
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 714773 Sample: Order Specification-887762.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 28 www.clubkingonline.com 2->28 30 Snort IDS alert for network traffic 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 9 other signatures 2->36 8 Order Specification-887762.exe 5 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\Temp\8498.tmp, PE32 8->20 dropped 11 Order Specification-887762.exe 8->11         started        process6 signatures7 38 Modifies the context of a thread in another process (thread injection) 11->38 40 Maps a DLL or memory area into another process 11->40 42 Sample uses process hollowing technique 11->42 44 Queues an APC in another process (thread injection) 11->44 14 cscript.exe 13 11->14         started        17 explorer.exe 11->17 injected process8 dnsIp9 46 Tries to steal Mail credentials (via file / registry access) 14->46 48 Tries to harvest and steal browser information (history, passwords, etc) 14->48 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 22 www.ophrcupa.xyz 109.123.121.243, 49703, 49704, 80 UK2NET-ASGB United Kingdom 17->22 24 www.freerubuxnoscamlol.com 81.17.18.194, 49698, 80 PLI-ASCH Switzerland 17->24 26 3 other IPs or domains 17->26 54 System process connects to network (likely due to code injection or exploit) 17->54 56 Performs DNS queries to domains with low reputation 17->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 19:41:25 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdpyyuz7jamj4vwrnxk5atmdr5msz7unnqljb7rjivhmgcgg4evq._file
Verdict:
malicious
Similar samples:
052fba70767b01cb674b9311a220181a87bdf47161280bb6335c6024e163139c
Formbook
08884d4ee51df79cdb311524ec99783ddd3d73bde064cffe98b0b79118e817e7
Formbook
16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c
Formbook
3aa7c1756484419ea491d279ee27158c784eddbb6257211a4b52cb5cb95d45b8
Formbook
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
Formbook
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
Formbook
5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2
Formbook
87b05c7108251ef607d1b9bd1d717824c6a93d608e58d8e9553e403fa81e5ed9
Formbook
a1ab9c1f53303986c6bd92de286fbfcd6f8c0d41aa3847d0922a5ce5868b2250
Formbook
+ 1'254 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:qghw rat spyware stealer trojan upx
Link:
https://tria.ge/reports/221003-hsnjmacda9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
Formbook
Gathering data
Unpacked files
SH256 hash:
ea5b7e2bcbe1a887e06c3e5051a2e3cbd65680d3fe902e64c69dc41ca5bd4584
MD5 hash:
63176d5f3d96a5dc750ebf5ca5296ea8
SHA1 hash:
4351bc1d11aa99370b5efcd3bfe48315daf5a0c3
Link:
https://www.unpac.me/results/49f57b59-2cf1-4413-8bbd-fbf74b610c62/
SH256 hash:
10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b
MD5 hash:
03c2f941af8cede493cd177fbe9cea96
SHA1 hash:
f811f24a5bb048e5aaec2e7456bb6597c2408359
Link:
https://www.unpac.me/results/49f57b59-2cf1-4413-8bbd-fbf74b610c62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/315936/

Comments