MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
SHA3-384 hash: 6ff4daffc3d52f12111200046804792fa0e4d2231abf7c94db72745d9959e011296a266f2051e6c32c15331f1583d7b2
SHA1 hash: 9ac1652a53cbb0966e1e98a7392d312e9025e9a6
MD5 hash: 18eaf595b5c647f5676daf3aadbca720
humanhash: missouri-india-mobile-maine
File name:New P-Order-19.05.23.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:917'504 bytes
First seen:2023-05-19 08:25:47 UTC
Last seen:2023-05-20 15:16:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vRLpNaPn0YPX/N94+OCYMMY9hLV8bTJ2laXGxD8T8b/YvhLxJYzOhHu9mIUm3fmi:cP0tZqhB8bm4+D8Q0NJCO9u9mIUeohW
Threatray 2'883 similar samples on MalwareBazaar
TLSH T17215F19129A89C21F1A6AFB546B3F23453796C51DB23834D64E02CA77D3BE837A057C3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e869f1f070f03054 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
249
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New P-Order-19.05.23.exe
Verdict:
No threats detected
Analysis date:
2023-05-19 08:28:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab607b66-b0b8-437e-82c8-1f0e3b834b72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23507.2422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6467329b29a0460d00cb7e8c/reports/135bcdf1-0c36-4933-8569-0bbdb786679f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d9afffc-3d36-4e9f-81dc-51abef1719be
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1236966
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869961 Sample: New_P-Order-19.05.23.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 80 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected FormBook 2->23 25 3 other signatures 2->25 7 New_P-Order-19.05.23.exe 4 2->7         started        process3 file4 17 C:\Users\...17ew_P-Order-19.05.23.exe.log, ASCII 7->17 dropped 27 Adds a directory exclusion to Windows Defender 7->27 11 powershell.exe 21 7->11         started        13 RegSvcs.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 04:27:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuxehs56jsaxm53uvq7ouxs7dgnrvvrdhzdhb46ckdglns3yc7gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
17ffde8137ccb72df1cf904e6e550a14e03c6e7029a507731a0a721697249851
Formbook
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
Formbook
633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
Formbook
7d0fdf3abd56e00933c0fa8cf573b948a4c9d85248915249f1909e6775f75e75
Formbook
abbf85558290e3fa302f88f51243e5216f24c9bc4fce64a0f616db3be2c46e8e
Formbook
b5f2e0b49faad7f9714d0b1088965647eb83d8772b234555738bcea1094dfd2f
Formbook
cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
Formbook
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
Formbook
ef201fa6a83547a8b5a1514e948d4208ee20bd4d37c1fe57d81bb1c2dfb1caf5
Formbook
f815d1ea14ef2734defc99e94b62ea6d0fd6a98f15a17c4476eef17b14f2587e
Formbook
+ 2'873 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230519-kbt17ach22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
09ef1a3ac1ab881dd9ba77922828769e3512c45c1518213f486b4fa387846dba
MD5 hash:
d3c7b5966bcec96e0cb234aba798af28
SHA1 hash:
e03c98b8a6a6c21d8191f6c9fed0a00e5f3816d9
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
Parent samples :
633e769b4943468dd81e9fa530390c4aa40aceb88fb0fb8a3e647faaea56df9f
2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
SH256 hash:
e6406411b33b59b6f05a84af9565fae4c335b013731ab222152366180cb1ef8e
MD5 hash:
7336121458c6127b1f5fa668dc05ccb5
SHA1 hash:
419171a9cae4cf7d91ffd6999e9dc070ae8432c2
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f46647aca1b93e2be0c6f2827a189fb019fd2ca300361637667508564fc32164
MD5 hash:
366c2de82e38f5302b26098dc7123752
SHA1 hash:
6d565d1cca06173641f9d2f042ee228443a991eb
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
SH256 hash:
8c6c5d054da8db0a367bdda35cd0c27ca30dbccd4a71b0eadffb80a6fec6f2ff
MD5 hash:
7d5838b2d542b393e12abd1a40bbddd8
SHA1 hash:
52d3bedb9fe374c2f32c51e3274004a1b1eba77c
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
SH256 hash:
b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23
MD5 hash:
a74d4ff639d43c44d7dcf925dfc3b2d1
SHA1 hash:
1db08e8f485ac81d554e836a784589ab4cee8486
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
SH256 hash:
2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd
MD5 hash:
18eaf595b5c647f5676daf3aadbca720
SHA1 hash:
9ac1652a53cbb0966e1e98a7392d312e9025e9a6
Link:
https://www.unpac.me/results/598b6428-b963-4b57-9076-c51f6c19eb5d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d2e43cbbe4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 08d938e8c57e7cacb29570facb91b726740a519840acad4872eee4a1af4ce8f3

Formbook

Executable exe 2d2e43cbbe4c81767774ac3eea5e5f199b1ad6233e4670f3c250ccb6cb7817cd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 08d938e8c57e7cacb29570facb91b726740a519840acad4872eee4a1af4ce8f3
  
Dropped by
SHA256 18f9ca56c276a3166e91d0301bdc737a11291caa51a0c66a65e2090348de156b
  
Dropped by
MD5 a3f0a6f1fa1cbc9bf1a657aa6d38a8d7
  
Dropped by
MD5 7ace042e43a67d49d5513edc718e6c49

Comments