MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2
SHA3-384 hash: acbf7acc0d3961ee520da4096b67da1544b5795eceaafe26e18697dcd8c227134f0b1df9fea7b39e8af5cea63e132cd7
SHA1 hash: 0c1d0f183fa421b99ecb0617b01f4a642a1a31ad
MD5 hash: e65c8c91114309409d7fd9e014b4e425
humanhash: oven-blossom-bacon-lake
File name:PROFORMA INVOICE PI160256.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:660'480 bytes
First seen:2023-05-24 08:28:58 UTC
Last seen:2023-06-15 22:26:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RYtPplTY6RhKuVEzvScqAmExlZ+/TqDUZmNCpuGeZemCmyoPbVHn0g8:iJTDEIEF5JZ+l5uGeZcCPN0g
Threatray 2'917 similar samples on MalwareBazaar
TLSH T17EE422092F0FA42FD5EF1BFC845415B0227B8A96B682F347AE6733D5DA85F86500588B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PROFORMA INVOICE PI160256.exe
Verdict:
No threats detected
Analysis date:
2023-05-24 08:31:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4167953-33b5-44d5-bd40-6036f1ce1931

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391049/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.24252.21734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646dcacf90f1bae7719eb6c3/reports/4d5f304a-42fc-495d-ae45-42af66feb1cb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59651eb9-de80-4f6e-8dd3-0c034754c7f9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1241401
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 02:40:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 35 (51.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7raswazfl5iiavvtbcsgs5gwmbkmvgs5n2524jhhofkb7yrl7za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e5a68487fb25640fbf7d4c2529e17bb20b2c948b82e464e9543a25f34027176
Formbook
5718c580c8854ea0d8785b26989e890c56f9e5fb9a58a0f1debc4bf71d869a9b
Formbook
571f10fb2f8ed39463e85d4a5af98f8203489b60d7a634d890462f10d6b15f2d
Formbook
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
Formbook
70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1
Formbook
801d576bb23bc641913bc54199377e1f87d43360086202b42834eabb44f6fc19
Formbook
9f44c58001149776520aeff671ff0888b3af00f1f0188f768ed21595fa30f81c
Formbook
a0944a8143c9b1520e9d4c27ba2a6699eafc3352c7fecee0039ab0f410b047ff
Formbook
a69d0f56789a6cc4e0d12922b6552bf777a9a58206fc5c0639ab22dd86880600
Formbook
d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d
Formbook
+ 2'907 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230524-kdkkjacb8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f1fcce7a0b22d9d87cc0393d6ddd052c8d2a233435e769771144e8ffd87beabc
MD5 hash:
55768e9cd2597b4bdb71551c4c266dfa
SHA1 hash:
62a7af356b42a915791b4f3150876b1258f78470
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
Parent samples :
57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
3c7d0885dea33735ccbe857a343fbb7f66a0f03a3e91e4f677ba880b7b670216
4500eda0f4d1cf716592b3e4d2576df69c3a68b585c6de4b560452454474c831
SH256 hash:
775cb3a191a4e3885de59395c77514f70202f0772a9a85530691eab441329c48
MD5 hash:
f514a3784e3d600a27180bf905cf09db
SHA1 hash:
e40e5c2f2a2aa08e927a2a55487a9bef26ca0946
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
SH256 hash:
654936dd6086b8a61dd8719f870a1e09c924ab485f1c98fa8a671fb32575dae5
MD5 hash:
e6df3e3a094f8f2f90e9c321edb63af3
SHA1 hash:
ad425c9fdffc6bae9b3d070a1d8d387506270dbe
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
SH256 hash:
48a6c6305f8af7ab67ddbd89241005522a05422656a1a72955fadbc88b06c801
MD5 hash:
8b22bd0613c675136976d356491171a4
SHA1 hash:
5fabd975bdc9eed21a8e8f0799ad84a27229e63d
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
SH256 hash:
583abe7cf9d23804de162b72368fe4aaf1f81333f565a2aee706e6db681e76db
MD5 hash:
49b45e53d1213c6cdc56b3b9ea6f9881
SHA1 hash:
18adc138dc57765c6e0f43d2241b1a5c8e2ae483
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
SH256 hash:
57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2
MD5 hash:
e65c8c91114309409d7fd9e014b4e425
SHA1 hash:
0c1d0f183fa421b99ecb0617b01f4a642a1a31ad
Link:
https://www.unpac.me/results/c1f09510-2bce-4ba7-8a86-f229fe6f88fd/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57e20958192a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 57e20958192afa8402b59845234ba6b302a654d2eb75dd71273b8aa0ff115ff2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391049/

Comments