MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626
SHA3-384 hash: 8a5eda53e7b0120c25da322a5dc683d1d717b4c7dbd24ba1925d4a9fbf1eeb617effec679ad9edc402f2ab75b612e7ac
SHA1 hash: dfa7222698a7c11cdd2198ea11db4aabd4d1e6b1
MD5 hash: bdbc3d868a0598c8be60bc528344cbad
humanhash: failed-timing-florida-north
File name:PMP-INS-93-2436-IN-101.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:334'010 bytes
First seen:2023-08-14 06:31:47 UTC
Last seen:2023-08-14 14:00:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:AYa6WUesO0LjOj70gC2w8hGEdipxI6Oemb/2qbNAy5Rh4lPVj0niH75r:AYIUesO0nGa2w65A8bDaCyy5PAj0u1
Threatray 3'678 similar samples on MalwareBazaar
TLSH T10F6412846BB9CE63D55642B1003EC626AF750D322944816B6340FB3A7DB62C2999FB37
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
264
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PMP-INS-93-2436-IN-101.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-14 06:35:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5281d7b1-0e99-4272-9b6e-eb6bb46ac2ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442574/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1848.6611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102813/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43ee5a8c-b486-4ba1-9dbc-4bf4a994bb3e
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290797
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-13 22:06:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3av55ztby7t2givxchomwmg4pcjv2c5e3uh4ensulyopojaeyta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19c456f77ef7a2c3d34f397ab4d435092281b157a76ab5e5002370a283e40e65
Formbook
1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
Formbook
2fe516e9dac323f21ac793310c22d151e6d95079a59cc99ed6cad79691901c26
Formbook
61c6ffbcd2c7c685bf8e3f6181f28c0e5ffb915a382b5c5848ef71e13042b41d
Formbook
655e1f7802f469886876b59344e294c278b3573a84c278c4f888627ebb5f2619
Formbook
85176443ab1c87d4387378979a276b860b6306e6ae17749d0a1072111cc14a1b
Formbook
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
Formbook
c81c83ab1925106c70d6393edc0fcc117a4cb12ac96383ad28ceabe54c12fb4f
Formbook
e6a28d32112a201610cc54768eea5b13747326379561aecf4519927021ca46d2
Formbook
ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Formbook
+ 3'668 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230814-halx3sab56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
05d7dc8c082abee16a13810faa6a65289df055576bac70e5a5044af80e1e887d
MD5 hash:
4d92b803608d52e67b4048a0c330faa4
SHA1 hash:
5e6dbe39ff006928a51c80b2682b93110bfdced8
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/80e55463-408e-4f0d-8745-38d6902288aa/
SH256 hash:
184f2cce478bc3d1481c1e125ca33f582c1282c033b936f68127bd967684095f
MD5 hash:
1750da4587d12dc3c49bf21d3e33f39a
SHA1 hash:
47761180f95e62853dc7bb1d3f5f5f0f94387710
Link:
https://www.unpac.me/results/80e55463-408e-4f0d-8745-38d6902288aa/
SH256 hash:
16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626
MD5 hash:
bdbc3d868a0598c8be60bc528344cbad
SHA1 hash:
dfa7222698a7c11cdd2198ea11db4aabd4d1e6b1
Link:
https://www.unpac.me/results/80e55463-408e-4f0d-8745-38d6902288aa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16c15ef7330e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442574/

Comments