MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756
SHA3-384 hash:	57a7b32a48c4d08e7090171cf788e66aa82951361932e87be316d26af185c836f3e69481d06aa32188631b8ed61416ea
SHA1 hash:	8b9fdf2cea0efb92f2956895fa73318f1452efcc
MD5 hash:	d45f04320cb11a42bb2aa7befa9300d0
humanhash:	potato-india-lake-blossom
File name:	MVE985700#.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	543'408 bytes
First seen:	2023-09-26 16:24:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep	12288:6nPd5ziv1Ugz6zrzKqr0/NANMdX7lk2q+gjdhp1BoF:GPdJKUggzdkXG+grI
Threatray	12 similar samples on MalwareBazaar
TLSH	T147C49CE3E11A5D67E6A4D5BB2321EA9B3B407DE484349C827BB3378ED176901713C239
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	a2b898d8c2e9d882 (1 x Formbook)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

306

Origin country :

US

Vendor Threat Intelligence

ANY.RUN formbook

Malware family:

formbook

Alert

Create hunting rule

ID:

1

File name:

MVE985700#.exe

Verdict:

Malicious activity

Analysis date:

2023-09-26 16:26:09 UTC

Tags:

formbook xloader stealer spyware

Link:

https://app.any.run/tasks/de7dd482-813d-49e5-b350-b9f93b284b83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451322/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.11305.30766.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/651305e00870810f018722a6/reports/6a11466c-6f37-46a5-b16f-610489f4d9b2/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9c58e59f-a04a-49c8-a3f5-76e734b39c8f

Joe Sandbox FormBook, NSISDropper

Result

Threat name:

FormBook, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1314701

Signature

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756/

ReversingLabs TitaniumCloud Win32.Trojan.NSISInject

Threat name:

Win32.Trojan.NSISInject

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-26 16:23:36 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

20 of 23 (86.96%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lhunjloio4j5mjb7ceycrhjw3ix33bfmuv3kbpa2thixfdzjy5la._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

39fa589ea526a5070a88ddb3ef7e179f221552e2c90574b4480ac029ac634067

Formbook

505727b56d70693677cd53bf8e29770f00f0a98b5eb741c3f98621f96f8d5514

Formbook

58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e

Formbook

5a8e4470e44f5566fba20c2b3962e04f40a688de11c46c02abb082e6e895a13a

Formbook

7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4

Formbook

8ac1c0f03f5591ee9291e375cb28afa7175defc336e2d3e834a339d4a8b4d7a6

Formbook

b38b57a54529989adfedab2ef64d18b480154a208cb23d455de6c06668061a0b

Formbook

c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed

Formbook

+ 2 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230926-twypjsbe2v/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UnpacMe 2

Unpacked files

SH256 hash:

485c21d79aa4cc9a46380df24f20f1a50d09ca5e47f37569153117a030a0d686

MD5 hash:

d2926148cb8cb57db4e72c8153b15e6c

SHA1 hash:

25e9381174815b6a2ee4041dd50867f9e1ace96c

Link:

https://www.unpac.me/results/d24d925c-5d24-4e54-b665-48f490bf7e58/

SH256 hash:

59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756

MD5 hash:

d45f04320cb11a42bb2aa7befa9300d0

SHA1 hash:

8b9fdf2cea0efb92f2956895fa73318f1452efcc

Link:

https://www.unpac.me/results/d24d925c-5d24-4e54-b665-48f490bf7e58/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/59e8d4adc877/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59e8d4adc87713d6243f1130289d36da2fbd84aca576a0bc1a99d1728f29c756

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

  

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/451322/