MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d
SHA3-384 hash:	fb8895d82be3ae3759bb0612341c66bb730275644682dafa8e7ea0dd4f5fdbf8188d168b25c2784be50a97b26ce9d698
SHA1 hash:	cea80ba15c62c703665c556316cbbc2a0a9a8bf9
MD5 hash:	313524e6258ef1bdb3a175c90a0b2455
humanhash:	spaghetti-early-december-tango
File name:	indent- 40120517.pdf.z
Download:	download sample
Signature	Formbook Create hunting rule
File size:	310'078 bytes
First seen:	2023-05-31 06:17:25 UTC
Last seen:	2023-05-31 06:33:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:AYa6F09XGjbm9UAuN3p+SBSV8T/kFQW81/OMdb27wAn7xRo7G5l:AYn09b9UAuN3ESBOEaY1GME8An7PkG5l
Threatray	2'999 similar samples on MalwareBazaar
TLSH	T1A66412C86FB0C673C4904A310676DA997EB16D266924624B1B40BB6DFCF22D1CE0F767
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter	JAMESWT_WT
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

indent- 40120517.pdf.z

Verdict:

Suspicious activity

Analysis date:

2023-05-31 06:20:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ec14eff1-ecc6-40dc-a2e1-156236533a11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/393820/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.22777.30109.17754.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88765/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6476e69a015beb7a3b05de22/reports/81950d5e-f518-45e0-ade4-42d38e6b7eac/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15697a64-765b-4797-854f-99897c4acefd

Result

Threat name:

NSISDropper, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1245789

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-30 23:48:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k646lgfcgrfj6epkk7u556ef2bkianf37vycbruxo4f4ndismygq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c

Formbook

69b82b41a7cfa515bf64c0302089df4a7f0af0791ca5499b6c402c9638d68381

Formbook

6c63ea532f12715886930df03b9d1d27ef54eceaefe3572b1347a46f50a96e79

Formbook

7e730ca7f92fd178c170d14422fbd34ea085e602dc22597d4aec331df1d55d0e

Formbook

86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54

Formbook

8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e

Formbook

c81c83ab1925106c70d6393edc0fcc117a4cb12ac96383ad28ceabe54c12fb4f

Formbook

e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3

Formbook

ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac

Formbook

+ 2'989 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230531-g2lkysdf5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

ce25649abbe9630dc2b2d01633b89e1688fd701ef301838a083460cb11703ebf

MD5 hash:

30378a18a14c234fc4b39656c48c953c

SHA1 hash:

2506b2673a07297c20a25e8836b92d94b758f970

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/eda141df-c0fa-48dc-aab4-0579d87f15ae/

Parent samples :

45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57
86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3
57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d
bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

SH256 hash:

5de47656d70990ec230319bd2e35b9254a19583f005487551a0d9a951607feed

MD5 hash:

c9d1695f8f861de42ff96e5a03ae3e36

SHA1 hash:

a09c013a0c262d8c8f6dba5ffbb4c2c4760129b4

Link:

https://www.unpac.me/results/eda141df-c0fa-48dc-aab4-0579d87f15ae/

SH256 hash:

86782fad55ddd9a12122810d4776f9105e5dae0d94b3bc1cc56f9d75eb4a9b2d

MD5 hash:

42033ab4bbaa96e3454ee64250bd7caf

SHA1 hash:

0a65e0194af1d8e445361092f18929e2810c7a79

Link:

https://www.unpac.me/results/eda141df-c0fa-48dc-aab4-0579d87f15ae/

SH256 hash:

57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d

MD5 hash:

313524e6258ef1bdb3a175c90a0b2455

SHA1 hash:

cea80ba15c62c703665c556316cbbc2a0a9a8bf9

Link:

https://www.unpac.me/results/eda141df-c0fa-48dc-aab4-0579d87f15ae/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/57b9e598a234/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/393820/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample