MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
SHA3-384 hash: cc6373fdba02d3ba84fd9c16279ba9cc9495d6af2cf47ca74f557d80c48b9eaed8d8f75488bde28794088bc3914e4d1d
SHA1 hash: 79f4015b9633fb92a9f3624cb9863521fd54a2fc
MD5 hash: 1261048d5ab92e3403dc1eaf43475572
humanhash: king-tennis-monkey-twelve
File name:Ordem de Compra pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:707'584 bytes
First seen:2023-05-26 14:48:33 UTC
Last seen:2023-05-29 15:58:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:UwGmzZBEP85Omp3/xC0ByTBDSV5FmtRL4lqsIi0Dkc/Z5XKS891:B9BEP8cmp3/x9BygVaI4sHo/zXKS
Threatray 3'040 similar samples on MalwareBazaar
TLSH T14DE4029175297F1BD83DC7F844343AB8A3FB61663072E36A5EE3A0CB72A5F404541A87
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:ESP exe FormBook geo

Intelligence

File Origin
# of uploads :
3
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Ordem de Compra pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-26 14:49:56 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/07202f03-a448-495f-b2dc-8bdcbc4fd7dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392157/
Detection(s):
Porcupine.Unclassified.130923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6470c6e668e69542aaf0eff6/reports/5ca3dea5-9340-42f3-9d38-4fa975642565/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/74537744-f93b-4941-95ad-1c1e6885f085
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243378
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876402 Sample: Ordem_de_Compra_pdf.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 8 other signatures 2->74 10 Ordem_de_Compra_pdf.exe 7 2->10         started        14 vBdjOEsuumpVj.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\vBdjOEsuumpVj.exe, PE32 10->46 dropped 48 C:\...\vBdjOEsuumpVj.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmp7C33.tmp, XML 10->50 dropped 52 C:\Users\user\...\Ordem_de_Compra_pdf.exe.log, ASCII 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Adds a directory exclusion to Windows Defender 10->88 16 RegSvcs.exe 10->16         started        19 powershell.exe 19 10->19         started        21 schtasks.exe 1 10->21         started        90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 94 Injects a PE file into a foreign processes 14->94 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 2 other signatures 16->66 27 explorer.exe 2 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.koora-hotel.xyz 54.67.42.145, 49709, 80 AMAZON-02US United States 27->54 56 autogenie.biz 108.165.90.160, 49708, 80 ACEDATACENTERS-AS-1US United States 27->56 58 2 other IPs or domains 27->58 96 System process connects to network (likely due to code injection or exploit) 27->96 98 Performs DNS queries to domains with low reputation 27->98 37 control.exe 27->37         started        40 systray.exe 27->40         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 42 cmd.exe 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 12:39:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gexci4uzv6hig5qslpcmnnb2n7migfmttmu24ud4l3vgf7bg6vtq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2eff68c23c7347d6a7614ae78fb7860aa81cebc0037d9c2a95fb795c2e2b3d6f
Formbook
3b282e85f1c3566bd088c73a424801f1fc47c6655a067b4e3534f07b4303e288
Formbook
8005c1f11765b2f062b741afe29c062901a5603959d8334ca14421a3426d7526
Formbook
88c915fc9b19666779df6aa7bf4be92a7bc293ba9a00269ae1e83f2605a54f50
Formbook
a7cbbba4240bca662bb18a1b8f3de13c839b3714ca8a869fb5c99dda91f43913
Formbook
b0f2f1f1ca40e62865e6e6024ccb5ef8691431c037289e5544ac69230d9b943d
Formbook
b9129e7533b6b2e4db2b5a65399e6761987c2d3d260ac6be681b02948544b565
Formbook
bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf
Formbook
c7057a9a9f625dc07c2d893859df339831330e74a0cfb6b7677bf973f0af279f
Formbook
eafd24a879b0e1458630666c4dbcc4f20c14a00b48525d05ef6055312085c10d
Formbook
+ 3'030 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md05 rat spyware stealer trojan
Link:
https://tria.ge/reports/230526-r61wjsfh85/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
5d2f53b5972e96a7645fcf3bcb9b595a2f274d4154523b6052a3264b04409a50
MD5 hash:
18a503def10488a85c8db746566b294a
SHA1 hash:
1372f1ac63e6a80bc86695070b1a577846527729
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
Parent samples :
fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
423562e381586b1c4169d9c3c00014ef14c69bc546897a47ad7a301ac6c7c3c1
b2c1a9091f518029dbac23fab825be576244e2b8d07a82fea5b93778072dd6c7
SH256 hash:
166a7695b677ecec7124a39565e1c888f5abefdb771d5d8e45dc9c03be81f6b5
MD5 hash:
778d1cbe928bf94e37541ce9f94ae8ea
SHA1 hash:
e71eddd01bd1af39b4398a8a8c6dc32b282e19ad
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
8674660fe1e1cc7e997932b68dff62150882585728b98db17a1c52badf9c0547
MD5 hash:
e65707ba697792cbb7759da361763d46
SHA1 hash:
877e0e806292ed0db1ffdc70543113354fb7bb2e
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
SH256 hash:
b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb
MD5 hash:
803e0c67b76960ff5d9ccb360ba9636b
SHA1 hash:
836d339682618638c6b2e3d156ad66a56e4f9ba5
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
SH256 hash:
312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
MD5 hash:
1261048d5ab92e3403dc1eaf43475572
SHA1 hash:
79f4015b9633fb92a9f3624cb9863521fd54a2fc
Link:
https://www.unpac.me/results/e3b43294-d70e-4514-be48-55db4ddba574/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/312e247299af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/392157/

Comments