MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6
SHA3-384 hash:	a58fe5fbefd3ad9cec11c4b896e555decd2a322b7b6ea5c3b17421c96ae7c84479e42e3af61d3140b69efe8d69d3e4b0
SHA1 hash:	9b96aa19510fd49e13d394017284c325ea81dc7c
MD5 hash:	d93dd4200d1997c9b734bc2b1de77dc8
humanhash:	monkey-india-south-mexico
File name:	003737.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	307'416 bytes
First seen:	2023-06-06 05:40:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:AYa6rb6wHR86N8RbEpztPAZ3IZUOGAdHwWM0g4uGFzq8Mh:AYJbFx86CBEe3Il/LpXukQh
Threatray	3'010 similar samples on MalwareBazaar
TLSH	T1DE641298157ACDA6E1A2C231643B8A947EB19C3594E153170314FA2FBCF63C2DA5F327
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

003737.exe

Verdict:

Malicious activity

Analysis date:

2023-06-06 05:41:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/17bab15b-5291-4b8f-93fb-c457cefff0c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/395979/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89565/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/647ec6ef1b8dbf3201522751/reports/e58321e6-9aba-4b89-8008-1f7fd0ff647f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a841485e-21b0-4f0d-bb77-4fb4ff33f1fd

Result

Threat name:

NSISDropper, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1249265

Signature

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-06 01:04:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ckqgy5fhtjmv7tufyxgqlqcdu2y2qmhfbwcjohopxjjncagxn7da._file

Verdict:

malicious

Label(s):

formbook

Formbook

45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57

Formbook

57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d

Formbook

69b82b41a7cfa515bf64c0302089df4a7f0af0791ca5499b6c402c9638d68381

Formbook

7e730ca7f92fd178c170d14422fbd34ea085e602dc22597d4aec331df1d55d0e

Formbook

86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54

Formbook

8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e

Formbook

bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31

Formbook

e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3

Formbook

f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad

Formbook

+ 3'000 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230606-gde39scb84/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

ce25649abbe9630dc2b2d01633b89e1688fd701ef301838a083460cb11703ebf

MD5 hash:

30378a18a14c234fc4b39656c48c953c

SHA1 hash:

2506b2673a07297c20a25e8836b92d94b758f970

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/501d6fc1-3680-47b8-9908-c89f59a51155/

Parent samples :

45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57
86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3
57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d
bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

SH256 hash:

5de47656d70990ec230319bd2e35b9254a19583f005487551a0d9a951607feed

MD5 hash:

c9d1695f8f861de42ff96e5a03ae3e36

SHA1 hash:

a09c013a0c262d8c8f6dba5ffbb4c2c4760129b4

Link:

https://www.unpac.me/results/501d6fc1-3680-47b8-9908-c89f59a51155/

SH256 hash:

cc4843512076608573c285a95e03361732dab93ae78fba41daba40711ceb9a0c

MD5 hash:

5f691d38b05f393f4ff97567762c27a7

SHA1 hash:

d713e31e3f4c3543971acfd67d061b06a8ac9560

Link:

https://www.unpac.me/results/501d6fc1-3680-47b8-9908-c89f59a51155/

SH256 hash:

12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

MD5 hash:

d93dd4200d1997c9b734bc2b1de77dc8

SHA1 hash:

9b96aa19510fd49e13d394017284c325ea81dc7c

Link:

https://www.unpac.me/results/501d6fc1-3680-47b8-9908-c89f59a51155/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/12a06c74a79a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/395979/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample