MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179
SHA3-384 hash: 70b24259852a2996f9e0a288b509376cb84f84dbce6925812773d43ace929c81eabd9605649809bb886000ca0bf27394
SHA1 hash: a1db7d9635024edf01fca683d275d2b72bd15667
MD5 hash: edd1ce0f6eecdeae2c72b5d8d986692d
humanhash: rugby-robin-golf-aspen
File name:PAGO SWIFT 374758589937.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:746'496 bytes
First seen:2023-05-17 16:32:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:OdK0CBxq/0AB1nViJv5RTtKuaXN6miCz03Wwnx/5m:wixqcABFILdt8HxsWwnR5
Threatray 1'400 similar samples on MalwareBazaar
TLSH T171F4DF2426D7C62AC515C7FD84D2F2B053A6BE8B7033C6470BC6BDCBB645BE98611287
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAGO SWIFT 374758589937.exe
Verdict:
No threats detected
Analysis date:
2023-05-17 16:33:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66c67363-bb9f-4df4-9a7d-5db136c98282

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390763/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15449.2819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/646501be7294df5cc71b889c/reports/36363056-cc88-4fee-bc58-effbef6a8eda/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b0e912b-970b-4644-a467-9bf9b71fa37f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1235485
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 13:36:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqsosnfaz7a34ba5stozbd2oxk4v2gkyrv6onz7sqcywfvwdyf4q._file
Verdict:
malicious
Similar samples:
20642f35e7dd6eb9dbc836babe91f109272f74d7db374bf37223de7d45a40ee2
Formbook
38a380b0ef5633beef842aabfa59f857cf9286a3e068987864d00b975d7e3253
Formbook
3de41e010beb4ede03eb2ef87e943b3a75402a3c13ca2033e1032ac160363768
Formbook
52f7df04cb306719eead0d602947612f3b909ef4fba8029af064891882ff4048
Formbook
a28cb539852da2e100484ab8cee9613a28b2e68d409b99d80e27f4fb7f238b5d
Formbook
a610b0453e7e5653d3e33ffb3ee466ae3e99636d1c5178a3b462ce118d64e27a
Formbook
c55f567dcb05208ea1fa8c6647ffc90d6ad7987faff6a2738aeecfdcd57b7ed5
Formbook
da1e5e998d07bc5955e623316800479e2cfe58fa00679491669ad288b3d48a9b
Formbook
f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d
Formbook
fd0c237241cf1dd94f69484051725c5c791425fba130a5dadc427069e8b367cd
Formbook
+ 1'390 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230517-t2g9raeg8t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
402560fe2ff5821f41eb1ca46d02c23d15096e644c4fd711b54f115dc6c62eac
MD5 hash:
dcbb33afb113c05f9fe49bd9dfdc5b07
SHA1 hash:
3ed59bd7af21e25a7147d52dfdbce8f4f67ad27e
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
Parent samples :
3b86e5743a7a35e6c3e1dc7cb1a844299e7b1f9eeea5bb7e51ca0de52b808803
9428a8cb5cf276628dfa0fe68ad6e9169a0a12eb6d00636cd64c39111ddb3aab
a4515730dc2be572ac039d78bfc3c3e2e1bfa4a737e67f0a709b29d94c737ca6
5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179
SH256 hash:
6fa806468abf9a72166db0d657f04c083c228bef2ecd434c10f5b0ce9963f309
MD5 hash:
ca90623c3575f4747522b4f34e3d05e1
SHA1 hash:
dd356c47eb5bb3306aa8639c98d87c5b8df03ea8
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
c62a7ba0221a213f720561efbfa9693df84e55f33c058604a5ef70c19a98b050
MD5 hash:
39621c264c70b418209f7da970bfe420
SHA1 hash:
70e92297691dc4d0d12cdcd49a763f6b99a7b17c
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
SH256 hash:
6c529570241cdd44bc1d98ec3001d5a593900aa88c67dafc1c244052ec702679
MD5 hash:
c9d1e3f74221e4117e8737022cff2bfa
SHA1 hash:
4d83844a3568468e30547b3ad0ebf0970e85b55f
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
SH256 hash:
5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179
MD5 hash:
edd1ce0f6eecdeae2c72b5d8d986692d
SHA1 hash:
a1db7d9635024edf01fca683d275d2b72bd15667
Link:
https://www.unpac.me/results/ad364371-1c04-4477-8e39-43c0f01fd41a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5424e934a0cfc1be041d94dd908f4ebab95d19588d7ce6e7f280b162d6c3c179

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390763/

Comments