MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
SHA3-384 hash: dc95aaebdf82b78303443e72db8be62f1a8ae925f203dfe54c7ba466425482ada450349bad5aaf3c8bf73025a85173f8
SHA1 hash: c6bc457708c107f79dd675d8f105365edfa9d5b0
MD5 hash: a454408e0e7c205c90e3d345c0ba23c9
humanhash: shade-montana-venus-hotel
File name:33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
Download: download sample
Signature Formbook
Create hunting rule
File size:659'968 bytes
First seen:2023-04-05 15:07:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:F/RmSzczsLnlTxKRyc6l7WUrIbknm+Wqq:FnBdoRyNliUr2km+Wq
Threatray 2'626 similar samples on MalwareBazaar
TLSH T16FE45B7D2DB89E66F439E3788BE0D023A1A1E7D3BB21CB181BD7124D4E1190275EE16D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
Verdict:
Malicious activity
Analysis date:
2023-04-05 15:06:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5705e761-d166-4767-a23f-0bab22be9f9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380372/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66070559.30499.8104.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/642d8ed37dc0445b23891a82/reports/d78f9b11-f56b-437d-b6af-85b6ad76743b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48a81642-8eb2-4fe6-a45c-bbb4cec043f1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209000
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841921 Sample: JXKpeA9gSm.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 7 other signatures 2->62 8 JXKpeA9gSm.exe 6 2->8         started        12 jNNPiSpfwVG.exe 5 2->12         started        process3 file4 36 C:\Users\user\AppData\...\jNNPiSpfwVG.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp39F1.tmp, XML 8->38 dropped 40 C:\Users\user\AppData\...\JXKpeA9gSm.exe.log, ASCII 8->40 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Injects a PE file into a foreign processes 8->66 14 JXKpeA9gSm.exe 8->14         started        17 schtasks.exe 1 8->17         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 19 schtasks.exe 1 12->19         started        21 jNNPiSpfwVG.exe 12->21         started        23 jNNPiSpfwVG.exe 12->23         started        signatures5 process6 signatures7 76 Modifies the context of a thread in another process (thread injection) 14->76 78 Maps a DLL or memory area into another process 14->78 80 Sample uses process hollowing technique 14->80 82 Queues an APC in another process (thread injection) 14->82 25 explorer.exe 1 1 14->25 injected 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        process8 dnsIp9 42 www.fatsecing.xyz 184.94.212.62, 49706, 49707, 49708 VXCHNGE-NC01US United States 25->42 44 kioro.net 204.93.169.182, 49702, 80 SERVERCENTRALUS United States 25->44 46 6 other IPs or domains 25->46 72 System process connects to network (likely due to code injection or exploit) 25->72 74 Performs DNS queries to domains with low reputation 25->74 33 wscript.exe 13 25->33         started        signatures10 process11 signatures12 48 Tries to steal Mail credentials (via file / registry access) 33->48 50 Tries to harvest and steal browser information (history, passwords, etc) 33->50 52 Modifies the context of a thread in another process (thread injection) 33->52 54 Maps a DLL or memory area into another process 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 12:17:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=go7m6ioqaelgaujamcyo27frcnpsobfpoy33bspqmn4lbdp5bn7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
062d63753da1e0a1bb4af007aec07aa637cb682ae22c5bd933115340656739b7
Formbook
07843e27993206a92d9e0bfbb249332fcfedad068bec8f7f7f3f318654c7910c
Formbook
0ead3606ff3625f1daa4c3e9a592f18f0f136d0373be4db5f1500c861cc791df
Formbook
2f260a7dd8ae9e2acf2c741d221a735644f9846740c3d379f1c7edb4ce30b845
Formbook
366a6d6e0aed96880c3589d33f5ee493ddfcc1f93cbe61e02b43867fa74f73b7
Formbook
6f4246a44c4b69ed8cc30d0583be906c7a8040216321889da1bd74ba7815aedd
Formbook
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
Formbook
f126e3eba69b00704edf308a992753bebdaca1e3a9d1b8ea6c8bd4b058e300bd
Formbook
f1ba471dbd6e6f3b10bbf3c76a9837eec27e14e034e9dc897eb32bd176291a77
Formbook
fe8dfa5a692cbfdcc238b360d8e7e2f07b673d7d7645d9d2a2eabd245213457c
Formbook
+ 2'616 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-shwglafe38/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
0aba00f36d50f4ed03130a500499b2a2beb2918d66fd8813918fa5706f3c95f3
MD5 hash:
979c12ffc1487e9d90f4ca6d490e3d31
SHA1 hash:
7dc3ad11e22b693b1a0bf180dda0152dbc3c0202
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c925ee5c-ae1a-4218-90b3-3284d58d5e45/
Parent samples :
fe8dfa5a692cbfdcc238b360d8e7e2f07b673d7d7645d9d2a2eabd245213457c
6c7c0667c1f5d1832dac7b75704c408f0f48dbb7cd1e66550d92a873d9c50584
5d1a3df6767d3a6649ec29bb7790ea8c90f1376a44cba1204bc0912fecf8f995
85f9e2436c4b4743d0d509dfafeaba63bc46848a31053ffb00d35987fade8fda
0ead3606ff3625f1daa4c3e9a592f18f0f136d0373be4db5f1500c861cc791df
575e8f3c11e849517340c54d016dd1b82936f844b7a107134bf175cdd3c40618
33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
SH256 hash:
99e5c7dd3afbdbcd277629d7461038849dc1a7268cf05a3ba871dbcb8785294a
MD5 hash:
770f58d73250f8ef9a2e482f94c645bb
SHA1 hash:
373e99e0c714e1b526b764f076bcf0755911ed34
Link:
https://www.unpac.me/results/c925ee5c-ae1a-4218-90b3-3284d58d5e45/
SH256 hash:
6c39e89c5cc8cd58b235f4ae5cdf750b5db7575e6b4a4722331e746418fe5e78
MD5 hash:
26d5f55d562b773d95a9cffb1ffceda9
SHA1 hash:
7667b5db3a76ef734398177dca83366d771f827b
Link:
https://www.unpac.me/results/c925ee5c-ae1a-4218-90b3-3284d58d5e45/
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/c925ee5c-ae1a-4218-90b3-3284d58d5e45/
SH256 hash:
33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f
MD5 hash:
a454408e0e7c205c90e3d345c0ba23c9
SHA1 hash:
c6bc457708c107f79dd675d8f105365edfa9d5b0
Link:
https://www.unpac.me/results/c925ee5c-ae1a-4218-90b3-3284d58d5e45/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33becf21d001/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33becf21d0011660512060b0ed7cb1135f2704af7637b0c9f06378b08dfd0b7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380372/

Comments