MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9
SHA3-384 hash:	0ce5ab250de39a8905101df823667a0eeca9cee13f3f22be51e407b04de107a58fd788c6c799324bad2abf6982f02fd3
SHA1 hash:	ad222fdbf04813fd580aa47777e7eebef1c6dfb8
MD5 hash:	14f3c6c75a935c76d774b623db680269
humanhash:	river-oregon-lake-burger
File name:	Comprovativo_248000000000000000000000002023.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	871'424 bytes
First seen:	2023-06-13 13:19:24 UTC
Last seen:	2023-06-19 14:20:17 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:BE03u4LYs4kAcKQ/Iq1CBhpmD3Q3mBnJPyS:s8A32yS
Threatray	3 similar samples on MalwareBazaar
TLSH	T14005B3807054E510E5AC32F65C39D4D4132ABF6A2C00D346B8F9BBEE6C75617CE9726E
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Comprovativo_248000000000000000000000002023.exe

Verdict:

Malicious activity

Analysis date:

2023-06-13 13:21:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/80fa33eb-0234-4014-ba90-920786a8d0cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/398333/

Detection(s):

SecuriteInfo.com.Win64.WormX-gen.16697.4450.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a file

Forced shutdown of a system process

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/64886d05c6414862d206e63e/reports/bf199b9f-e6be-40a2-93f7-037c15f38a26/overview

Verdict:

Malicious

Labled as:

MSIL/GenKryptik_AGeneric.AAK trojan

Link:

https://www.hybrid-analysis.com/sample/4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd13434e-80a0-4da0-a809-c391814b9a5e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253615

Signature

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-13 11:27:35 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jzxl26mrtulep3i3hsaz6zftushweuj453g2e5bhrhzdfy4azdmq._file

Verdict:

malicious

Formbook

4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6

Formbook

c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465

Formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230613-qk384sgc78/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9

MD5 hash:

14f3c6c75a935c76d774b623db680269

SHA1 hash:

ad222fdbf04813fd580aa47777e7eebef1c6dfb8

Link:

https://www.unpac.me/results/11396f5a-6a95-46ec-be56-4cdfb38c1a48/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e6ebd79919d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 4e6ebd79919d1647ed1b3c819f64b3a48f62513ceecda2742789f232e380c8d9

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/398333/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample