MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
SHA3-384 hash: b67ca9079e675721f441a96403d1d47f79b1a182aed26ec9c3d7213aee7b24a6057bbb4628636792338b16cfcfff4b5c
SHA1 hash: 02488206754da10406ba2582a8bb86a2a25f1a77
MD5 hash: 36b0d70f7a9f2a51bd2884f0e31ac873
humanhash: idaho-march-pluto-sink
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:882'176 bytes
First seen:2023-06-23 08:42:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:12qly+7PM7q6bpw4dcZda/ig8rJdpc0SKHhTDC1Q0xQlXBi+ENP7UQM5VdfTqYo4:jSzu4CZdO4ZPHmQlXBi+6P7UQOAM1
Threatray 1'642 similar samples on MalwareBazaar
TLSH T11D15F11022784F13E13E87FD1461267093F8A69A706AD34BCEC7B8DE6F66FC10259A57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
No threats detected
Analysis date:
2023-06-23 08:45:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea71964d-471d-4c78-9482-a109d497bda6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402006/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67645437.18050.5345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/64955b16d1be9f65da1d265f/reports/9900ac76-c731-405b-b818-a04ae465edc5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6031f746-d380-4212-a5ed-f8fe4a72d906
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1260265
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 07:41:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iewgdcgbvnlntja3zenkjm46mzhmsndkogfhv2n7jflbqiynpqwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2818ae5c4fb98d4ac50ce7055d3ff9688dedb6b0e5344a14a341f4c151a36522
Formbook
4faf527fcde9f38b487c5f4a7c29dcba98977f664c1f2c8be13bc88c7232f496
Formbook
5e1d57c89f656b297ae6bfec8f8feaa2c6cf1d4d80148ec9eb1644f0a23c7920
Formbook
6689c58325956e0d5afe938fc8139589f85d44ff8733a6080c123eac34219e5b
Formbook
6f1acd309fb5ffdbfe2e1ca42dd060ed57e2107767f945f47cbbd71a5a189062
Formbook
751979a730418403c73ea0e14c8ad5d77d4fd95de07a9cc24aa3ca21650ee1e6
Formbook
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
Formbook
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
Formbook
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
Formbook
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
Formbook
+ 1'632 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230623-kmklwsde74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
63bf875417a4d14485debe930a5948b79f02b45bd9669c530e717d929bb8da99
MD5 hash:
f927688f7160b7a62052b1d3ff01d77c
SHA1 hash:
bb0924d0778ae7ca1992c3fedbc4f3a6301584cf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
Parent samples :
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
ed570698ccddfc346f65b5b86045d8af239e0d2400acd5836818b95e7b658cff
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
b45f9e29351506203a4101b1559e928ec3de39850008d82598b8ce1c3a7a13c3
117657ffb63ef0b6355173babb3e4fd141dc8be775e2ef30c23953b6396f4f45
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
SH256 hash:
f01a6fc735878ac63e8b5585179a21b4dea5d15b5c679ac90cbab1a9d36958cf
MD5 hash:
3532237c1316ef2cc8a39372a6b5f72c
SHA1 hash:
5cf317deeff0ce552c933c7d4e44ef3f5bd7746e
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
SH256 hash:
ae28a826aadf2b9f5beab0392baf5f28d2fe78772ee829dd7176eda538b02553
MD5 hash:
b536331634cad2b836cf2d7b5fe05889
SHA1 hash:
b27ed85810ff000a2435b8be653eb089281b8c1d
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
SH256 hash:
28169f003110192392d69e9402ee7db770f9aee19852dcb318d92108bf595f2c
MD5 hash:
dcf1cbb152227447768021e943611d0e
SHA1 hash:
967ae32ce174e63fef4285dfbd5efea68657c0c5
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
SH256 hash:
5574b15d1d9b6ca0788510ecf4d2547dfe7858f5408ab2952744cdf498dba3d7
MD5 hash:
5b74d155844090a9c612bb0016a56b89
SHA1 hash:
2e6b460b89836c92633f51f218a074bb6f068552
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
SH256 hash:
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
MD5 hash:
36b0d70f7a9f2a51bd2884f0e31ac873
SHA1 hash:
02488206754da10406ba2582a8bb86a2a25f1a77
Link:
https://www.unpac.me/results/30ea4f2f-fcf8-4d41-8abf-da28c77cc60f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/412c6188c1ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/402006/

Comments