MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8
SHA3-384 hash:	83b703599c8c066691ac5b27971642a2d9bf714f42f53c1b2cca57f03deeb9065aa35f35925d8a30a176aa4d73a1a83a
SHA1 hash:	6b140e76947ccdcefc6a0f37168bd40bd9dc0cea
MD5 hash:	791fa784ac2ea441f8034ba700060c5f
humanhash:	jersey-floor-purple-aspen
File name:	shipping docs.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'168'384 bytes
First seen:	2024-09-09 11:31:03 UTC
Last seen:	2024-09-11 20:52:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:sAHnh+eWsN3skA4RV1Hom2KXMmHadGbWD4u7+ZgGi7Bd4PtxnLX5:Lh+ZkldoPK8YadS84u7+ZgxdOtxV
Threatray	1'284 similar samples on MalwareBazaar
TLSH	T18F45BD02B3D2D036FFAB92739B6AB20596BC79250133852F13981DB9BD701B1277D663
TrID	63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10523/12/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	fbb9f97167f7ffdf (1 x Formbook)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipping docs.exe

Verdict:

No threats detected

Analysis date:

2024-09-09 11:35:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c9394497-3b7f-42db-b6ad-59baaa61fba9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Inject5.8642.23975.24497.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66dedcb5ee4e8155781716c1

Tags:

Execution Network Autoit

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit epmicrosoft_visual_cc fingerprint keylogger lolbin masquerade microsoft_visual_cc packed shell32

Link:

https://www.filescan.io/uploads/66dedcb779cd907bfff0ee94/reports/3ace6566-147d-44f2-9dce-6ccaddcf9abc/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f4f537b-f99c-44f6-a237-264407b9f642

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1507867

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-09-05 14:01:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gkz3odefq626iv3uh74roxknvpyg5khq2pa6lbolrzgnslyclgua._file

Verdict:

malicious

Formbook

3629d34fdcf6679f6baa6bbb4f95c3f4c193022b9188218606b6832fc1f861e2

Formbook

5a2ff424e21c1ab4f0e32bb5eb18f93e7f5a3abb3a401cd69b71598fde93e24c

Formbook

b96c94f2fb7072f885b94cbbf77e849b608df0b60b99819b4a0aeaf8761d3b47

Formbook

be4d23c7a2ff6bd0a2f74734e18faae796fe0ffa11987528fbd8673a2a0f2fb3

Formbook

c18e91fedad79cf98044d7a754dd39b673018e28dc6935bc9d63515b8d91a6be

Formbook

d3d1272d0b575b6ecf379433753feb831b42a0a9a8ba10e1708de0f8b8b82f62

Formbook

daa69f6b826aee3b3949e40f993f10a5f30faf0834985039cbfa21d20029f0a1

Formbook

+ 1'274 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240909-nnbl6axgph/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9ac47f9c-3477-4ca6-9b6c-f0f2a4bbc0bf

Unpacked files

SH256 hash:

42a02ef73fa441d0b0f1e1b9c7e3dbb9b87c0e22173ac836f00286a805f8afd5

MD5 hash:

217b9395079728b5ba3a3f39b267821d

SHA1 hash:

71afcbae101083faa528dfd3bfc5ac88bb885f05

Detections:

win_formbook_g0

win_formbook_w0

Link:

https://www.unpac.me/results/7384eb47-4dd5-4c3e-b845-1fd941bd27cb/

Parent samples :

6a3a4b3a7fa4a70df08053d630dc5e368fa5a614b44d604daa419764a327c0f3
32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8
174d282d862c115d2fec1e6e0de49a650a8105950f71a95300e1aea14a9384e9
85bebafe85fe41c6286aa08ab3378ad7fcb6b4c4a05c8d41d595d331815d5a2f

SH256 hash:

3ccda0cdeb769eff1440d0b0c85ba0f89329cdd3a547f629f0ad705b38bf23d2

MD5 hash:

51c1fafb1a32b30dc006d2566d328f26

SHA1 hash:

b3316ca82a1cbcf60e716d3eb2a937f451e8325a

Link:

https://www.unpac.me/results/7384eb47-4dd5-4c3e-b845-1fd941bd27cb/

SH256 hash:

32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8

MD5 hash:

791fa784ac2ea441f8034ba700060c5f

SHA1 hash:

6b140e76947ccdcefc6a0f37168bd40bd9dc0cea

Detections:

AutoIT_Compiled

SUSP_Imphash_Mar23_3

Link:

https://www.unpac.me/results/7384eb47-4dd5-4c3e-b845-1fd941bd27cb/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/32b3b70c8587/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 32b3b70c8587b5e457743ff9175d4dabf06ea8f0d3c1e585cb8e4cd92f0259a8

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample