MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 14
| SHA256 hash: | 2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f |
|---|---|
| SHA3-384 hash: | 753ff9ec10810f0e150ac892766a70c019e811c54dfc1f39f07a8e50970a4d782255ec3937a5bfcff6d4d404ff0824df |
| SHA1 hash: | 19be6ac716ff8c44effedfd0f5aa5042eb106be0 |
| MD5 hash: | 078aa5481805038692edb6ade88580c5 |
| humanhash: | fish-harry-wolfram-paris |
| File name: | 2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f |
| Download: | download sample |
| Signature | Formbook |
| File size: | 845'824 bytes |
| First seen: | 2023-07-06 13:30:40 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 12288:lBEG52iNoOe42KMu/N3mWhQmwmJCMpUgcDBti27GPlfxh8/DTBjf9eSaMbaUdBt7:jEE1mOV/NOaWA2KPlfb8Jta+ndvIJB |
| Threatray | 3'282 similar samples on MalwareBazaar |
| TLSH | T1B105F12C33EA8B4AC4BA7BFC4D64AA30C3E85D453033E35A0EE735EAAD767144495593 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  adrian__luca |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
286
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f
Verdict:
No threats detected
Analysis date:
2023-07-06 13:31:40 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Verdict:
Malicious
Labled as:
Trojan.Ransom.Loki
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2023-07-06 13:31:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 3'272 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
SH256 hash:
677f84b56c7e1beec6852bd9834b5e0ba910a689ac36e798ff6b68fdec6c98b9
MD5 hash:
0835765f07f71b975d87ec59ec4a49c4
SHA1 hash:
f19260bebc67d5dc614f58a4b5607c677720f06a
SH256 hash:
31364b6cb1a519a908edec108060e33d2ca53b018c4f37ab283c1c0d810fe126
MD5 hash:
6df085f2504117dad99f5089eff81cef
SHA1 hash:
7be2f37b6f191c5cb8d10781497b3b22cfd1b811
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
SH256 hash:
677f84b56c7e1beec6852bd9834b5e0ba910a689ac36e798ff6b68fdec6c98b9
MD5 hash:
0835765f07f71b975d87ec59ec4a49c4
SHA1 hash:
f19260bebc67d5dc614f58a4b5607c677720f06a
SH256 hash:
31364b6cb1a519a908edec108060e33d2ca53b018c4f37ab283c1c0d810fe126
MD5 hash:
6df085f2504117dad99f5089eff81cef
SHA1 hash:
7be2f37b6f191c5cb8d10781497b3b22cfd1b811
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
SH256 hash:
677f84b56c7e1beec6852bd9834b5e0ba910a689ac36e798ff6b68fdec6c98b9
MD5 hash:
0835765f07f71b975d87ec59ec4a49c4
SHA1 hash:
f19260bebc67d5dc614f58a4b5607c677720f06a
SH256 hash:
31364b6cb1a519a908edec108060e33d2ca53b018c4f37ab283c1c0d810fe126
MD5 hash:
6df085f2504117dad99f5089eff81cef
SHA1 hash:
7be2f37b6f191c5cb8d10781497b3b22cfd1b811
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
SH256 hash:
677f84b56c7e1beec6852bd9834b5e0ba910a689ac36e798ff6b68fdec6c98b9
MD5 hash:
0835765f07f71b975d87ec59ec4a49c4
SHA1 hash:
f19260bebc67d5dc614f58a4b5607c677720f06a
SH256 hash:
31364b6cb1a519a908edec108060e33d2ca53b018c4f37ab283c1c0d810fe126
MD5 hash:
6df085f2504117dad99f5089eff81cef
SHA1 hash:
7be2f37b6f191c5cb8d10781497b3b22cfd1b811
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
b5582e73e588fc959cae146c63acd70c9051dd96f3ff5113f643766f848f8e94
MD5 hash:
c9b3905a3a1f68967d555842586865f5
SHA1 hash:
c9b61046eb966be617cef654ebd6cf7a6b585bf5
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
SH256 hash:
57b7c6678d14d1f241d11540546d0f726b19fe65e71168b325e8b7146daf3dc5
MD5 hash:
104b4b88600bdd650c4e3f8903d9d292
SHA1 hash:
d50033a865b5e43e8e2b69a06fec4761375f2c95
SH256 hash:
677f84b56c7e1beec6852bd9834b5e0ba910a689ac36e798ff6b68fdec6c98b9
MD5 hash:
0835765f07f71b975d87ec59ec4a49c4
SHA1 hash:
f19260bebc67d5dc614f58a4b5607c677720f06a
SH256 hash:
31364b6cb1a519a908edec108060e33d2ca53b018c4f37ab283c1c0d810fe126
MD5 hash:
6df085f2504117dad99f5089eff81cef
SHA1 hash:
7be2f37b6f191c5cb8d10781497b3b22cfd1b811
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f
MD5 hash:
078aa5481805038692edb6ade88580c5
SHA1 hash:
19be6ac716ff8c44effedfd0f5aa5042eb106be0
Malware family:
XLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.