MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763
SHA3-384 hash:	29792adddcc43b159fb1306fd34c3d19de18000087967adcab6e0553fa0279ea363c994a7d0d8c8b899c8b02ca856359
SHA1 hash:	5f223b9a3c00789baf089c7a9b9068a5dd6b3e39
MD5 hash:	82b558699eeed6577cd8a6ca9d474eab
humanhash:	delta-beer-uncle-eighteen
File name:	SecuriteInfo.com.MSIL.GenericKDS.61009645.tr.21601.2452
Download:	download sample
Signature	Formbook Create hunting rule
File size:	880'640 bytes
First seen:	2024-03-11 02:27:21 UTC
Last seen:	2024-03-11 19:50:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:eUdLPloPsUgadoO7uX6gdt+ViubZgrcyOi6la:eyPloPmadoO7Rgdt+Abr/
TLSH	T1701502F0F5A5B743C0A25BBA5B50D02516613C7E60A6CBDDEA903EDDBDB6308064FA43
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

527

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763.exe

Verdict:

Suspicious activity

Analysis date:

2024-03-11 02:30:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e3438fa3-adbf-4267-8194-8d1d5ec6eb66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/478457/

Detection(s):

SecuriteInfo.com.MSIL.GenericKDS.61009645.tr.21601.2452.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65ee6c3383a3efb188d04a39/reports/e0e0f921-c88c-43cf-9136-18cc4be6a5a8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MSIL Injector

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5de9ec89-c4a8-4676-91dd-dadf9361e2ed

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1406290

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-03-11 00:03:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dr2lsoy2usvmzpxq6enlkrtofo4adiuewtc5fwkntqaqwaetc5rq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240311-cxz6bsac22/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

78d6d8fd9900196806296a6f6ba9f6ff821e69761284ed08e4d2cb5ba68d5edd

MD5 hash:

c911ccbfe23a3f3835377090673f24d9

SHA1 hash:

da26b2a0c791df1ba9c21953567ce992997ddb08

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

Parent samples :

d80d15764111eb80aa6f43d95f3effa13eb47c43937a578d78692769953defc0
0b635b5bcfdf7f115415cd72598cb387441cb7d0fcd2ad3937737fc01c05ca5c
d7eab9eb726b311e97b0c71522363b9223f767f7474c5cbf4d9bf0df9c4b909d
1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763
99508e1f259485c8c1a9b8a6b60c2fa9355caabd41e6c78854252cfa397673b7

SH256 hash:

b3f2bcb08ae6ed77b51186dc73ac27afc31c9e3b175914fbc7e932a053024057

MD5 hash:

8edcf081ada9f28a2722afb40ac6e099

SHA1 hash:

9a1d6568a6063fccac7eef51a12cbdaa81b82262

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

SH256 hash:

06a1ae787e808d6287de314be8bec64ef2e0d3bc1bf2ea71ae268c7b8fb19e2d

MD5 hash:

91b39e533d48f5fa25ac604da90b3d8d

SHA1 hash:

f5dadf1e8fcbe64609e4cd78a27e2810f7a6e69e

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

SH256 hash:

c8c1020fe926cc1851b73c1915ad32e2fc393dccb402782aca8f4ea6379ba84d

MD5 hash:

ef7cf89d9ec52b18a8f5b6ee49820f46

SHA1 hash:

dcf9cb9bb3f72ca4b3cc0c00b27bd9ce10b554bb

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

SH256 hash:

c10c9b0882bac6f788f48b4dabe3291b14e639e650f2b9fcb0bc174ac92ae02b

MD5 hash:

7c7fb6daa78beb69128991ff893143ed

SHA1 hash:

c01bb99984b12b84129db80eae1d5d8341a358e2

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

SH256 hash:

42d598f996babf74a7774385e5f62b5dddceee640d670c90d3966cfa15c6da48

MD5 hash:

a917096f1b3ad1bf208bb024ebbff5fd

SHA1 hash:

b040e99f1ac722f1c3c9f67031099c65258656e5

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

SH256 hash:

1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763

MD5 hash:

82b558699eeed6577cd8a6ca9d474eab

SHA1 hash:

5f223b9a3c00789baf089c7a9b9068a5dd6b3e39

Link:

https://www.unpac.me/results/6093d8ed-8d89-49ff-af3e-d5aeeca4bffc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c74b93b1aa4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/1c74b93b1aa4aaccbef0f11ab5466e2bb801a284b4c5d2d94d9c010b00931763

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/478457/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample