MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105
SHA3-384 hash: 13466461314c527dad5c17f9266d977e42e014db6152c1855a0ad02f10a325ae95669a42dbd95a6e6b7e47003e51d372
SHA1 hash: ae9a2347fe3bd7c8836ea0ca18e30b1f4c06be34
MD5 hash: d005f24e702ff936a1fa62c3d9c37b8b
humanhash: whiskey-venus-mobile-eight
File name:E-dekont.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:242'524 bytes
First seen:2023-05-13 06:31:03 UTC
Last seen:2023-05-14 18:38:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6nJ7o6ggR5tqLzoNei80Dtbaed8KI9gu7aobd7DM:PYd6VgR5tqLkNei80BdIyueobdfM
Threatray 2'888 similar samples on MalwareBazaar
TLSH T17334138825C0C59BD85749B12A778A9BAEE7D51122EA830F03B01BDCBF33461B907F71
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
E-dekont.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-13 06:34:22 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/248e2df5-134a-42a7-a5dd-157aeff6430c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388851/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67006445.11005.16139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83822/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/645f2ee3fe2f8f2723bac7e3/reports/596fa6d7-35ac-4db5-aa39-dfe9c59d7982/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fb6a3d4-085a-420f-bb6a-afd781eac046
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232040
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865019 Sample: E-dekont.pdf.exe Startdate: 13/05/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 10 E-dekont.pdf.exe 19 2->10         started        process3 file4 29 C:\Users\user\AppData\Local\...\qmwfkm.dll, PE32 10->29 dropped 57 Detected unpacking (changes PE section rights) 10->57 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->59 61 Maps a DLL or memory area into another process 10->61 63 Tries to detect virtualization through RDTSC time measurements 10->63 14 E-dekont.pdf.exe 10->14         started        signatures5 process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 17 explorer.exe 4 6 14->17 injected process8 dnsIp9 31 www.hblcfl.com 172.241.173.201, 80 LEASEWEB-USA-SFO-12US United States 17->31 33 www.buyautoworld.com 188.114.96.7, 49703, 80 CLOUDFLARENETUS European Union 17->33 35 www.ifyoucanhuhyoucanhear.net 3.64.163.50, 49701, 80 AMAZON-02US United States 17->35 49 System process connects to network (likely due to code injection or exploit) 17->49 21 help.exe 14 17->21         started        signatures10 process11 dnsIp12 37 www.hblcfl.com 21->37 39 156.242.168.70, 49702, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 21->39 51 Modifies the context of a thread in another process (thread injection) 21->51 53 Maps a DLL or memory area into another process 21->53 55 Tries to detect virtualization through RDTSC time measurements 21->55 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-12 09:35:28 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=chpjhyfaq7bkuv26sjarqtpztxp7om6htetbd7nbp63aik6yuecq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25f2b36dc8b2fb7c4d2694c9d4293de356f39d61732414be8b87e772aadcb30d
Formbook
43440434172d5730884fa5f0ae4f7ae73c4815e74618d18bc405d18dd325fed4
Formbook
539d920211675f7cc535698b9223aae7d732e46d747bae86c00234e8b6dcb3ff
Formbook
615349f7344705307b2316dee1177a887390195e85d692069fb2c74def5a4ece
Formbook
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
Formbook
b71909f3cd1d9b763d573a9c76b36fcb98e57c9eba7b54a35fbe5ad154efc52e
Formbook
bedb5ef007caf41eb52f0331f1fdf5997271a828df7adb1e1132063129eba99e
Formbook
ca92353954eb428f99d73b11f26650f1ed59df39a99a04d45552c8b9ba4e1459
Formbook
d1e4cc2b2df4de229947e033f6dd65379db0d12d92ec7de9ffcc8336c1c55e9a
Formbook
d4ab87e55002c6b6e0aafcf9365ab9017946e998371e43b15a50bae8475b947c
Formbook
+ 2'878 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mr04 rat spyware stealer trojan
Link:
https://tria.ge/reports/230513-g94fqsff63/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
6169b21dc76e4e511fef5bd8cb8ecae8e3e18c46b94e898cf9ca1bc5f477cb5f
MD5 hash:
dfc6c49d8be8c2648b4a53d7925fe5d1
SHA1 hash:
e49c310fd7c0c9590d65127380360fa1151004dd
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/eaa3c4fb-1d5b-454c-b191-8ad3eddb5272/
Parent samples :
11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105
673d8cda7f0d526c493d98e45e1f517bd9b8ddf422054f481e650e95bff3a922
8a1818f6e89fe3a6a0cae314467eb120d9e3f95ad6e17099c4f3f5e18d039929
e3d4fccd07d41f7c76da4a4602079ac0883174b59ebb2f8b4c497e703b9a46c9
364dd2fca24dd00a4f94bd807353c0cbb7576f833ef754036480bbc2778b6cad
SH256 hash:
6176383056718f14a26c5472c6824973adca35acffcaacdb4206c9d704b50369
MD5 hash:
1b1e54ac5001d857a67f15b962deb8de
SHA1 hash:
47c103aae84656f20a2651cbcfdc109c2f704fad
Link:
https://www.unpac.me/results/eaa3c4fb-1d5b-454c-b191-8ad3eddb5272/
SH256 hash:
11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105
MD5 hash:
d005f24e702ff936a1fa62c3d9c37b8b
SHA1 hash:
ae9a2347fe3bd7c8836ea0ca18e30b1f4c06be34
Link:
https://www.unpac.me/results/eaa3c4fb-1d5b-454c-b191-8ad3eddb5272/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11de93e0a087/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 11de93e0a087c2aa575e9241184df99ddff733c7992611fda17fb6042bd8a105

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388851/

Comments