MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63
SHA3-384 hash:	18a51ba738f3c835b1895aff5b3ae26ae16f43fbc0518f3c70157c0df2a61ed69a7f288bbe3e65da56b5d6bc1c54adb7
SHA1 hash:	c5c553fac7c60d1f55de6e9718bfc2c95cc07ea5
MD5 hash:	dc3e0fedd5d71f89bdfc4db60e21874a
humanhash:	william-montana-blossom-foxtrot
File name:	PRICE ENQUIRY, ENQ REF-LPRN- 20231096_PDF________________________________..exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	729'088 bytes
First seen:	2023-05-25 10:03:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:8aWIm6lVvtzZBEP85VXHx14LlGyhsbsCe0FAQAW58aEcqW3obeO6+H3Xy:RTmIt9BEP8bXx8GOsIfGAQ55PL46On
Threatray	2'975 similar samples on MalwareBazaar
TLSH	T159F423E4249A9329ECA90774087563F002BFDF967972E2572C87F1C8E713B1D8162B5B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f89cb2b02cb9f060 (7 x SnakeKeylogger, 5 x Loki, 3 x Formbook)
Reporter	TeamDreier
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PRICE ENQUIRY, ENQ REF-LPRN- 20231096_PDF________________________________..exe

Verdict:

No threats detected

Analysis date:

2023-05-25 10:05:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d1fdfb9-f626-405a-b26e-62508e13916e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/391540/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/646f329874a37a9dca1b3f2f/reports/92f30588-f762-47b9-89c1-b098d9db7e12/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7ce9a09-a367-4c70-96c2-b8059f9b2715

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1242312

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-25 07:40:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpnyledwf5adsm2zvnnbf6wof5vp7tqtqnh3ij6yadsowl63bzrq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15

Formbook

605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609

Formbook

79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51

Formbook

abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e

Formbook

b0ebf928b4df7f41c89599e1e1320fb1d44e36e1d5a3055b376c82b912fdf182

Formbook

c1548f41733077975fff5009b326af53e7b3d52d48bb44002ca88fc69f710a18

Formbook

c918d1ae4c1635db9333c72fa06a6b04afa4a2ab37f494cd24c5e3fbc6963ead

Formbook

e0b295c6ff8b659d36af3e6b48ce997d4e094d8f50bd14ec71c309a46024dad5

Formbook

e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b

Formbook

+ 2'965 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230525-l3xrtshc48/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

9b21debe11f6aa194fdd1a7618a71d7a3b240f671544a5dd26e901a5110dfb5b

MD5 hash:

a9751fc19892615fa217df414ae9c992

SHA1 hash:

4ca886c15019eb07d9e1bcd86d2ca2d0a71d978b

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

Parent samples :

4c835aea417aae501813df52306ed19c591869eee045da1fc7ede6b7946aebce
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
e0b295c6ff8b659d36af3e6b48ce997d4e094d8f50bd14ec71c309a46024dad5
1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63
032454dace97a2e1d466b0a2749f8a3fbaac125c110a89f43a1ecac98aa05b49

SH256 hash:

d9bdc9ff83f9a6b14cabd68d2fdc880c49cb0c9aaa548334d27e1cb809f704a2

MD5 hash:

49285c96182b78cd550e17ba061fea7c

SHA1 hash:

fed1be6a91d86ec2d50fcf8cb460dfaa3b3ed5bd

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

SH256 hash:

fe578851fad4c36699b29358c19ebc81c4e22a7fd24aa8181e2321306bdc91f5

MD5 hash:

afa1a5638f3eab76c607e3f377deb4bd

SHA1 hash:

cbc45b38c99f6dfc3513a3742a00d674b76f12f4

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

SH256 hash:

dfb7e5ba0df3227e16c65f0a8bc7b9091a3f9652683bac00bec0fba5290b287f

MD5 hash:

43b431bdcdfb87bbb88bfa75af7ef928

SHA1 hash:

a75230ffcfc17ebeaa6420b65492788ee1684492

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb

MD5 hash:

803e0c67b76960ff5d9ccb360ba9636b

SHA1 hash:

836d339682618638c6b2e3d156ad66a56e4f9ba5

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

SH256 hash:

1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63

MD5 hash:

dc3e0fedd5d71f89bdfc4db60e21874a

SHA1 hash:

c5c553fac7c60d1f55de6e9718bfc2c95cc07ea5

Link:

https://www.unpac.me/results/d4c3d090-3a8b-49c6-9ee8-e7fd449947fc/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1bdb8590762f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/391540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample