MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4
SHA3-384 hash: 0efecd11c6730b63f5ee036dbd7ea8403879129ad06624709846615b7a701488a8ad3ab5919aaba5b299179dd94e1e48
SHA1 hash: 2c2c30b58846ad4abd8cf9afc7c42e77ed0671d8
MD5 hash: 3e872be3033224c36cc17cccdd0db5a0
humanhash: johnny-golf-april-emma
File name:PI n0. 8234.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:768'000 bytes
First seen:2023-03-27 05:28:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7eqYCzl06/TgTU4CpRIbGut/uEP8P4OHz0NqYxl+/hdiHrlexiWiNLkphj7xHTxT:rl06MFCput/uuROHYx4/eoTiuTxzxE
Threatray 2'496 similar samples on MalwareBazaar
TLSH T1C4F42316BF838AA0C4A977B964A542C10374DBE852B3C6AD5BC024D8FF773650771EE2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI n0. 8234.scr
Verdict:
Malicious activity
Analysis date:
2023-03-27 05:33:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26ac7397-dec5-4de3-8021-8b944fd03ff3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377741/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642129ba9c109cf74b2ffd8b/reports/de45b30b-9276-4982-8652-5be2d2c2c780/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35a6d890-a20a-4232-9c09-868b1a86911f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202425
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835331 Sample: PI_n0._8234.scr.exe Startdate: 27/03/2023 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 5 other signatures 2->60 8 PI_n0._8234.scr.exe 7 2->8         started        12 GmoTlwVJfdB.exe 5 2->12         started        process3 file4 40 C:\Users\user\AppData\...behaviorgraphmoTlwVJfdB.exe, PE32 8->40 dropped 42 C:\Users\...behaviorgraphmoTlwVJfdB.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp9A76.tmp, XML 8->44 dropped 46 C:\Users\user\...\PI_n0._8234.scr.exe.log, ASCII 8->46 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 PI_n0._8234.scr.exe 8->14         started        17 powershell.exe 21 8->17         started        19 schtasks.exe 1 8->19         started        76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 21 GmoTlwVJfdB.exe 12->21         started        23 schtasks.exe 1 12->23         started        signatures5 process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 25 explorer.exe 1 1 14->25 injected 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 23->33         started        process8 dnsIp9 48 www.elladeehiggins.com 216.40.34.41, 49696, 49697, 80 TUCOWSCA Canada 25->48 50 www.cactus-market.ru 91.189.114.29, 49706, 49707, 80 RU-CENTERRU Russian Federation 25->50 52 6 other IPs or domains 25->52 80 System process connects to network (likely due to code injection or exploit) 25->80 35 raserver.exe 13 25->35         started        38 wlanext.exe 25->38         started        signatures10 process11 signatures12 62 Tries to steal Mail credentials (via file / registry access) 35->62 64 Tries to harvest and steal browser information (history, passwords, etc) 35->64 66 Deletes itself after installation 35->66 68 2 other signatures 35->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 22:26:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdbfizgbyio3pmrldrdzsew3y6qx7h2xoiawkb7dv6vqj3mdm7ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ead3606ff3625f1daa4c3e9a592f18f0f136d0373be4db5f1500c861cc791df
Formbook
10f07d893ce971191295d3c52b3a5c761b62edde3a50981cafb2ffc5fab72dab
Formbook
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
Formbook
200100b843cccd6b1fc8f2455de2d6069aa6272b3b2d94e805ee72d08bbfd665
Formbook
3a660d27e5c230dc07725cde5222c679ca2b402835395815ca28ac5334b8b6f1
Formbook
5dc78112397a04a6b3cef6f63aa0c817e641cb4cefb8fd91958cdfed48d57bbe
Formbook
adb24e3f246fd2e4d38866e9273f7f511af700a1601399bc695b01c5ccdbd43c
Formbook
ef2967d3d123dfc575f3b565943fc7354bc76ebade5256392073d1383a317d5b
Formbook
f3c78a11dc0b821e6833fc5c2040cb94a2b4f91a37d27bce5576c1daa190b8e7
Formbook
+ 2'486 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230327-f6lwvabh56/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
2547b4aa547a791c7d640d05bbcf0ad0b9f3454602d237ce4d711094d876e094
MD5 hash:
9f8b91f9fb2c65536489e8c21d75c9ab
SHA1 hash:
4a8f9db9cbf35480450a0b7470847c548ff85098
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
Parent samples :
30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4
92f8a10ac629bce80763a73e362d3266139f4367970bfcecb34b5c1f882f223c
2209edf0bdf92002d675b50958adeffbffb6f8aabf27ca011e0528b453db566a
SH256 hash:
6f372a7a6382e1da81f1bf3ae434cf3944ba401938ce653bf6020df097aa9832
MD5 hash:
548c11d4d5a260b66852253016f20c8b
SHA1 hash:
c2616495c45ed8b158a2525715f4ba1961a88e1d
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
SH256 hash:
50860597dd140f762637357031cc6384bd69d0bb7501332607d8f98055a2cadf
MD5 hash:
58c251fe88f223462dbff6fc690072e7
SHA1 hash:
c39486b9f5b6cfa5dce59faea3d0e04ac831aebb
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
631e3d7442f44068f2045d3b45bc749c83e33a765e3917da75d988ee3b30caf4
MD5 hash:
09f39cce2f4731321eed8a30d6fa1607
SHA1 hash:
92d2f09847a4452e7ce1402d0c6de5029291e48b
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
SH256 hash:
e1feb16a5ef439b478f2915ad878921cdaadbb87d9992dc59f3c4fc5f2a4a74e
MD5 hash:
8bcc89128791f87bf51dee24c444b7f1
SHA1 hash:
1b0c7eaa9a7ab41c4b7adc69b59dbf915e950612
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
SH256 hash:
30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4
MD5 hash:
3e872be3033224c36cc17cccdd0db5a0
SHA1 hash:
2c2c30b58846ad4abd8cf9afc7c42e77ed0671d8
Link:
https://www.unpac.me/results/0198081a-2952-40fb-9780-7d80cbb630ca/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30c25464c1c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 30c25464c1c21db7b22b1c479912dbc7a17f9f5772016507e3afab04ed8367d4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/377741/

Comments