MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380
SHA3-384 hash: d7255f027f16acff956578c5f121558ff7022d7d607d6da1eb4fb6203e58a89edec31613bb1aa090e940975eaf4f26c2
SHA1 hash: 44c0c0b355b69c0fefeae5172ec23ae0955c6244
MD5 hash: b6026dd6740eedf47d44a62b69714fb1
humanhash: five-robert-jersey-jersey
File name:World Energy RFQ 2023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:758'784 bytes
First seen:2023-01-06 13:43:43 UTC
Last seen:2023-01-10 13:37:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7aoH05gMl79f7y9DkigLyU+CKvbXjvLdkklHpGK1WRGqLQrLo:F0iq7NyRkiGzf4bXrLdRGK1WRuo
Threatray 5'783 similar samples on MalwareBazaar
TLSH T1F1F4598D2778E477FAD7237A021010F81E623A13F5A6F11B5E7B7EE920156FA366C601
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
World Energy RFQ 2023.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 13:45:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6922a302-f1fe-4aea-b3ed-0d06d3554546

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/350080/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.14471.11188.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b825a740e878e304232f31/reports/2c7a13ab-96c7-4d28-8966-d61994669086/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9990ef12-d81b-46c0-9cdd-54e139e5e11a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146352
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 16:58:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxitd6336pkfl3pqhamqzqowtwz364akgbpf4lyaulrpwrshkoaa._file
Verdict:
malicious
Similar samples:
0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67
Formbook
5a0893d2100052e465b5329bc5ab00bad025469b279ef9fe1ab6a4643b5e8a5e
Formbook
77cd536168c0e9585f4e6618573de6f52a73d17cd7f9aa527a696752c0f25143
Formbook
7ce7ca5deeb35f3cce19ca4e01e28aebe9f1b03dc8778a2e85e0d515a6df1a3e
Formbook
7f7322dd08a3f54e840b31b0c1c01a65676701cb15ed97ea3cdb6b0edf5402db
Formbook
86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64
Formbook
8fc56654c730505dd97bbe04e8c9f688b7b9366eb1981e848fe3c829a553f40d
Formbook
9a7a657e728c731ff69db20bfb86f32dea639d2020ed4415821161aced29f7b9
Formbook
b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2
Formbook
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
Formbook
+ 5'773 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230106-q1tdvacd91/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Modifies Installed Components in the registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd3dfaa3-068c-40ce-8973-77ad8bd627e0
Unpacked files
SH256 hash:
9bfbb42fc88543f9a30515fb1fcb13712653af474739aaa604f0901d16af93c9
MD5 hash:
9a43a96a9a86c11c11dcd55674af54f9
SHA1 hash:
243fadde5d2c3d164712eb5d40f1d7084cdeac8c
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
Parent samples :
55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380
459aa22827ed6a13af8399cf656ba76b1f9539edb3085ff3256804e111f52c9e
SH256 hash:
5c5ef48c34898ce952c18b75ce9cfc478c2b1535c1587e9f0ea2496cf0a48317
MD5 hash:
0f1b6adcc3cf7a7346e6e5237f9f45f1
SHA1 hash:
c9dbc1b0675d031f5b88068e6e6cd7a73383d7b3
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
SH256 hash:
0d62d6efe11868e132f74e19566ac04bd6a11543b8a5b6478284cf6212b10118
MD5 hash:
5132752f404bd2aa07684a90cd92a3ff
SHA1 hash:
77d540720f154be1e9f425780c09929bfdf6a72b
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
SH256 hash:
c540ee591b86046d35bd8c6d10081c0a11ca9292c1665b772ea48a0b54ce200e
MD5 hash:
640dae8ea290a5b59948adf98a5a48ac
SHA1 hash:
6fc6c71f5820a59d87306d05076030ca8109380f
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
SH256 hash:
4df75e2046c07e9d82e3e9038163a885fc90da5d919d0ec2d64882522e2f519b
MD5 hash:
a2d779e59af41e0a6478c2359d31c1f5
SHA1 hash:
5abdcd4af44bf1fd9c942a8d2e9e0f0eb6c760c3
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
SH256 hash:
55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380
MD5 hash:
b6026dd6740eedf47d44a62b69714fb1
SHA1 hash:
44c0c0b355b69c0fefeae5172ec23ae0955c6244
Link:
https://www.unpac.me/results/736a4084-d1f0-4cd8-bc4d-0b86dc33202b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55d131fb7bf3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 55d131fb7bf3d455edf038190cc1d69db3bf700a305e5e2f00a2e2fb46475380

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/350080/

Comments