MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861
SHA3-384 hash: 76c8c35e9f4ec0a823260266e35120652b8a6bcd3f10835a32897869424378731ec9f2086fe94c5bf0d171c194f4eb0c
SHA1 hash: 8bf63cc1d046833f81719551c99fdce7f4f01f1a
MD5 hash: b5c23568b717b212e11db239401fdcf9
humanhash: twenty-quiet-gee-kansas
File name:ALKAN Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:608'768 bytes
First seen:2023-04-20 10:16:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:sYMaGLzjp3IBs4LDVI+y1/JMeGUSEDs+F8T9:XMaGLzjp4m25Hy1BMeffD9G
Threatray 2'691 similar samples on MalwareBazaar
TLSH T173D4F1A572C0978FC8053FBD5A04584827B34DF9C4D8CECED966B48B4EFE7618144E9A
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ALKAN Order.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 10:16:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62047516-16e0-468f-8335-14ba63489141

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383701/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6441112626946732737003c6/reports/a84d9f97-1c11-47e9-bbd4-4eb20f1bea5f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ffab317-d277-4e7b-83ab-d6c96973dcf7
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217920
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850868 Sample: ALKAN_Order.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 4 other signatures 2->43 7 ALKAN_Order.exe 7 2->7         started        11 QZmJLDpU.exe 5 2->11         started        process3 file4 29 C:\Users\user\AppData\Roaming\QZmJLDpU.exe, PE32 7->29 dropped 31 C:\Users\...\QZmJLDpU.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmpCEC8.tmp, XML 7->33 dropped 35 C:\Users\user\AppData\...\ALKAN_Order.exe.log, ASCII 7->35 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 RegSvcs.exe 7->17         started        49 Antivirus detection for dropped file 11->49 51 Multi AV Scanner detection for dropped file 11->51 53 Machine Learning detection for dropped file 11->53 55 2 other signatures 11->55 19 schtasks.exe 1 11->19         started        21 RegSvcs.exe 11->21         started        signatures5 process6 process7 23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 19->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldwm5fwsymlqsvtxwc6r2w5mofqssytailhhdzltpjbwq6m5zbqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a65bdc8a4ddc23e2d4fed87eb161185359b5ce38f9483ba5e0786d3c8aa8c34
Formbook
1d507bf363414ee632d706b9c53f5351715c641585a54c9cbc93f82c880fda02
Formbook
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
Formbook
285f52c66b141680b77dcbb20f42a4ee9fab83815bd7c47a0e3cf581dad1404f
Formbook
80d41016c2bf67df26677e38cbb13ab1ea552e4bad0e8ecb5e6e462297a7694f
Formbook
84276cf4e302cf1bafbc65f6987316dcd7842e73e107fd58c476127f3cf34c03
Formbook
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
Formbook
e68df2087331bc53cc8df1fea6ccabb8fd68ce31e9b5a6addbb6bc9036988c51
Formbook
e79b787e97db18226583aa9c61b0b6bb5de29945714c74636eca2cdf4947cb11
Formbook
f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
Formbook
+ 2'681 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230420-mbdejsbb8s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3ae4fe69def02df6fae3e7241d99bcc8a93f25d3418ea5abe2fe3f5b1f3f6d07
MD5 hash:
94b826a56aa62e12f4af324c75604b0d
SHA1 hash:
ab431fbd2a1e6160ca035185146c654002586fdc
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
Parent samples :
2d65927fe82bad89afd3f4aa0428b0aa01fd5f3cf87e9ac766681b223b3fc3b8
58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861
SH256 hash:
5745d623025dba00c75a7ef04e2cd098843bb92595273e13488f8f016a4356db
MD5 hash:
a4b3a3f8d84d9af7ac74126dbbd28935
SHA1 hash:
80200fb4e22039d1d6201a157101baa2ab74b702
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
SH256 hash:
62b93fb01a987b8e5f9f6be50b74358f2e9f2c2b82a55805a082afef9cfa155b
MD5 hash:
77b5b9919efbbb1ed04c55026b1adb3e
SHA1 hash:
d3aba60f71b42f36a897c81a1703748b6ed4c602
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
SH256 hash:
59e8e3d1706485c2b84e1d4af7d3af3a6a0c447121e03fb7edfc2c1af40b6533
MD5 hash:
974c30a9c0ceb52a8a93ea6322085266
SHA1 hash:
b23d751e792200aa077012c22133f77747def2be
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
SH256 hash:
58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861
MD5 hash:
b5c23568b717b212e11db239401fdcf9
SHA1 hash:
8bf63cc1d046833f81719551c99fdce7f4f01f1a
Link:
https://www.unpac.me/results/d313cee5-c76d-4523-93e0-6547033c023a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58ecce96d2c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 58ecce96d2c317095677b0bd1d5bac716129626042ce71e5737a4368799dc861

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383701/

Comments