MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8
SHA3-384 hash: aa901f3694790ba6776de7808eb8a25ad30cc5f27ab2bd24e45e26ce7227769c75582024a07acfc49259685469b9cb6b
SHA1 hash: fda2b808039443dc79a135766cac515d4c77bd07
MD5 hash: 30266aa21296824dbafec93a4e32983c
humanhash: october-green-nevada-hamper
File name:Transaction.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:683'520 bytes
First seen:2023-07-12 06:05:04 UTC
Last seen:2023-07-14 08:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:F2Td0Rloz3tuvnzTE93GUtJEoS6JjDAZW2rfdVkrVa:ATcs3tuve3pO6GZdrFex
TLSH T189E4BDD6E17AE2D3D824327A204115442E397FC43460F6A49C7AB1F276F6B4833976BE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transaction.exe
Verdict:
No threats detected
Analysis date:
2023-07-12 06:13:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75c02d12-558d-4556-8d87-0e373d05a9cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416250/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68114377.31736.3438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64ae4294a15fc7eb4fd11028/reports/b3034396-7d14-4c1c-aee2-d0ea2ae6ecf0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0132026b-d55e-4330-abc1-13a6b9e4963f
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1271636
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 08:19:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=himrybp265p4t5ohn74sjj5wy7abhq7n7d6fqo32ctowi6gh7dea._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230712-gs7rtscb29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
5116e684fd5ebd8f2832244c3922eb4c169c6099cb3413139a85b29f1081ac9b
MD5 hash:
bff3033c56a13e96d31ef97d4a6182ae
SHA1 hash:
4ddd8ccb2c56bc58382d210bf39ab74e7069ebf1
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
Parent samples :
d0dee99d6879a777938604421ce10c42a0fba9420f8fe7a77f8a4875a869208e
3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8
SH256 hash:
b857b32d49f752e8b272ae44aa3c51747567f3ef636a318ff4cd860849a33b75
MD5 hash:
7fed4819faf1e9da495ab858eb5e24c0
SHA1 hash:
3cc4cd985db1ca9983c666ce3bd4b4597a6e7e9b
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
SH256 hash:
2d6f909e879266cbac2f81bd9728605ed3a59f77680ed7395a30a1b0878d4f7e
MD5 hash:
fbc2c86747b6c28b2ed56e55ef8b8f28
SHA1 hash:
f91bc468002f299e3c570528dd5162ce3697dfab
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
SH256 hash:
2533d367f9ac30872666f71c6c786ddf9c1a60e24e07dfbc015d1640c5882743
MD5 hash:
8f43f2be0d3afe4c94a76594f04a9735
SHA1 hash:
6ab89fc9c930c99412593c7237baccc90f8c4c5b
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
SH256 hash:
3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8
MD5 hash:
30266aa21296824dbafec93a4e32983c
SHA1 hash:
fda2b808039443dc79a135766cac515d4c77bd07
Link:
https://www.unpac.me/results/16be7ef7-b910-4d82-a80b-e6ebde376861/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3a191c05faf75fc9f5c76ff924a7b6c7c013c3edf8fc583b7a14dd6478c7f8c8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416250/

Comments