MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42
SHA3-384 hash: fbf9c0ef95b228d9761fe4323749b0451095ad4f63a9ac260250667b1a2c42ad46c5b910078b05d6efe355fad50c0477
SHA1 hash: 738332f1c3e8e4d089b1f3930496d5309d0880c1
MD5 hash: 668284aad8228807c7d9503feda9f6bf
humanhash: oranges-utah-diet-muppet
File name:rGeneralContract_PGT_AMT_addendum15_Kulberg_May.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:98'304 bytes
First seen:2023-06-01 10:31:44 UTC
Last seen:2023-06-01 11:50:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:Kp0F3SSJshJixmFLZbIUfyVAEfUtz3c/rxFuXz6NLAGtLF9pZ6:KvdhJVZbIUqVA1MjTuD6NMAJ9pZ6
Threatray 1'491 similar samples on MalwareBazaar
TLSH T143A329BC67986602C35D863683E08260533A96771B47D74B0AC721ED0F677C6A84EFDB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rGeneralContract_PGT_AMT_addendum15_Kulberg_May.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 10:33:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7154f52e-d833-4403-8c47-b77ca5184699

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394338/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.7166.21340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/647873a3b9bd75d40def88d9/reports/89b989f0-55cb-41be-b353-a6c0e3161bf6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/84d6b688-48e0-48a5-910a-853b02ede9b6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246705
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 04:58:46 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=curbue5bywkgqhj7la55snnu6dtgpmsdaisk7sqef2gvvfhtjvba._file
Verdict:
malicious
Similar samples:
3938761608aefadd2334475fafbf1ef2fd262613978ef2f2a8267c4aa8cd1e06
Formbook
4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
Formbook
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
Formbook
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
Formbook
726e443731f4005814fed05263c664cf47c64eaf2135a192fe1771e03ef42341
Formbook
a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e
Formbook
b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549
Formbook
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
Formbook
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
Formbook
e2dbdd45e11e2b7e32caef9e2f4365d05e63eaf13724bea2ed842a503adb802f
Formbook
+ 1'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230601-mkyf3sec2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42
MD5 hash:
668284aad8228807c7d9503feda9f6bf
SHA1 hash:
738332f1c3e8e4d089b1f3930496d5309d0880c1
Link:
https://www.unpac.me/results/06b32b54-b1dc-41db-891b-db91e1fec598/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15221a13a1c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 15221a13a1c594681d3f583bd935b4f0e667b2430224afca042e8d5a94f34d42

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394338/

Comments