MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f
SHA3-384 hash: a8ab7311dd13a1629eee294b8033c5adebd1bd54da300247adf25d5148624433ce7fd9c33ca2db006b6168f986330812
SHA1 hash: 8c350aff45dbb05c1d61eb885a13b591544b70fa
MD5 hash: 246238533bb596d52737946aaf4b4d37
humanhash: berlin-ohio-charlie-early
File name:Project Execution Order - (PO 546788) (PO 546789).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:39'424 bytes
First seen:2024-07-01 11:41:56 UTC
Last seen:2024-07-04 07:13:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:fsNjci832cy7jQNDy1SXNh2xEPICOVvHX9RL7D6p05iVXXXtXXXXXXtX41hoJOuy:vHwL7D6Shho16G+SIp1b5tPeWTU
TLSH T17C03E944B3A8DBA2C22553FAF42311F913315E57E422EB4B1C8A7ED73A71BD20526D47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 491c3464d4d1d756 (1 x SnakeKeylogger, 1 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
369
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Project Execution Order - (PO 546788) (PO 546789).exe
Verdict:
Malicious activity
Analysis date:
2024-07-01 08:09:30 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/99796609-a436-42cc-bf2c-739afbccbf59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.24959.12160.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66829689bba6ccecd93a1646win10vpnfull_triage
Tags:
Execution Generic Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6682961121581a9281a08a54/reports/54d15051-b2db-4342-bc44-654eaaa9826e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc177e69-8f9f-498a-bd5f-7b1d8b8cfa1e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465254
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Copy file to startup via Powershell
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465254 Sample: Project Execution Order - (... Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 48 www.zj5u603.xyz 2->48 50 www.thelbacollection.com 2->50 52 15 other IPs or domains 2->52 74 Snort IDS alert for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 82 14 other signatures 2->82 11 Project Execution Order - (PO 546788) (PO 546789).exe 14 3 2->11         started        signatures3 80 Performs DNS queries to domains with low reputation 48->80 process4 dnsIp5 60 coldfusionnitirous.com 162.213.255.55, 443, 49711, 49712 NAMECHEAP-NETUS United States 11->60 46 Project Execution ...(PO 546789).exe.log, ASCII 11->46 dropped 106 Injects a PE file into a foreign processes 11->106 16 Project Execution Order - (PO 546788) (PO 546789).exe 11->16         started        19 powershell.exe 13 11->19         started        file6 signatures7 process8 file9 62 Modifies the context of a thread in another process (thread injection) 16->62 64 Maps a DLL or memory area into another process 16->64 66 Sample uses process hollowing technique 16->66 72 2 other signatures 16->72 22 explorer.exe 70 2 16->22 injected 42 Project Execution ...88) (PO 546789).exe, PE32 19->42 dropped 44 Project Execution ...exe:Zone.Identifier, ASCII 19->44 dropped 68 Drops PE files to the startup folder 19->68 70 Powershell drops PE file 19->70 26 conhost.exe 19->26         started        signatures10 process11 dnsIp12 54 www.thelbacollection.com 212.32.237.92, 49726, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 22->54 56 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49722, 80 ATGS-MMD-ASUS United States 22->56 58 2 other IPs or domains 22->58 92 System process connects to network (likely due to code injection or exploit) 22->92 94 Uses netsh to modify the Windows network and firewall settings 22->94 28 Project Execution Order - (PO 546788) (PO 546789).exe 2 22->28         started        31 netsh.exe 22->31         started        33 msdt.exe 22->33         started        signatures13 process14 signatures15 96 Injects a PE file into a foreign processes 28->96 35 Project Execution Order - (PO 546788) (PO 546789).exe 28->35         started        98 Modifies the context of a thread in another process (thread injection) 31->98 100 Maps a DLL or memory area into another process 31->100 102 Tries to detect virtualization through RDTSC time measurements 31->102 104 Switches to a custom stack to bypass stack traces 31->104 38 cmd.exe 1 31->38         started        process16 signatures17 84 Modifies the context of a thread in another process (thread injection) 35->84 86 Maps a DLL or memory area into another process 35->86 88 Sample uses process hollowing technique 35->88 90 Found direct / indirect Syscall (likely to bypass EDR) 35->90 40 conhost.exe 38->40         started        process18
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-30 23:24:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmpctm2pkjmyp3zscbujwql6upa2bnhvzc6pdahpaakiuptnbmpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:45er agilenet execution rat spyware stealer trojan
Link:
https://tria.ge/reports/240701-ntz7pssgnp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
Suspicious use of SetThreadContext
Drops startup file
Obfuscated with Agile.Net obfuscator
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/466e1753-e027-4383-86be-6f2feebd01da
Unpacked files
SH256 hash:
531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f
MD5 hash:
246238533bb596d52737946aaf4b4d37
SHA1 hash:
8c350aff45dbb05c1d61eb885a13b591544b70fa
Detections:
INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Link:
https://www.unpac.me/results/42dc16e0-7bb1-479e-9e7d-e117c368480a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/531e29b34f52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 408e418404d842718d88720c6706d3a0a07f40f0e04159091ea31c7333c2f958

Formbook

Executable exe 531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 408e418404d842718d88720c6706d3a0a07f40f0e04159091ea31c7333c2f958
  
Dropped by
MD5 39fc68f13cfd8a3cd4e280d33b2fc15a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments