MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
SHA3-384 hash: c852a74aa49717851447fe76b3a4f26d25f31ba038af8c68d329dd0a0fab598044cbc5f7569624e36ebfbb895b8cc6b2
SHA1 hash: 91b67dbb0dfbdb313a8e33a00ee99c54a0db836a
MD5 hash: e8f558cb2cce6d7753cde64b792121a8
humanhash: lactose-table-michigan-bravo
File name:Подтверждение платежа - июнь 2023 г..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:686'080 bytes
First seen:2023-07-25 07:29:57 UTC
Last seen:2023-07-25 08:32:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:OYiIoFwIrG3XCCaI0vNoXBQC5FruhHzLLkpygL3rz2zjUqTV/L7ft+d9TvA0pK2L:OHIcTrGCorRQkKLkpBf2Zfod9DA03L
Threatray 3'469 similar samples on MalwareBazaar
TLSH T164E422226A708B8BC53A1FF8157077B5637FEEDA7061E3CB1D87F049E9767889620211
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 37c39995b4b4154b (6 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Подтверждение платежа - июнь 2023 г..exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 07:41:27 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/76714153-e04b-49f5-b23c-2913e17afeee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432017/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7641.12290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8952076-5c80-4a2a-b956-bf6ce8e4aee9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278886
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1278886 Sample: _#U0433..exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 55 www.macauklub.bet 2->55 71 Snort IDS alert for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 7 other signatures 2->77 11 _#U0433..exe 7 2->11         started        15 dXpVGUrR.exe 5 2->15         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\dXpVGUrR.exe, PE32 11->47 dropped 49 C:\Users\...\dXpVGUrR.exe:Zone.Identifier, ASCII 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmpEF03.tmp, XML 11->51 dropped 53 C:\Users\user\AppData\...\_#U0433..exe.log, ASCII 11->53 dropped 85 Uses schtasks.exe or at.exe to add and modify task schedules 11->85 87 Allocates memory in foreign processes 11->87 89 Adds a directory exclusion to Windows Defender 11->89 17 RegSvcs.exe 11->17         started        20 powershell.exe 19 11->20         started        22 schtasks.exe 1 11->22         started        91 Machine Learning detection for dropped file 15->91 24 RegSvcs.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 17->63 65 Maps a DLL or memory area into another process 17->65 67 Sample uses process hollowing technique 17->67 69 2 other signatures 17->69 28 explorer.exe 1 1 17->28 injected 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        process9 dnsIp10 57 www.8fleeto.site 27.124.125.171, 49702, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 28->57 59 www.bizwingo.com 38.54.163.253, 49700, 80 COGENT-174US United States 28->59 61 9 other IPs or domains 28->61 93 System process connects to network (likely due to code injection or exploit) 28->93 95 Performs DNS queries to domains with low reputation 28->95 97 Uses netsh to modify the Windows network and firewall settings 28->97 38 netsh.exe 28->38         started        41 wscript.exe 28->41         started        signatures11 process12 signatures13 79 Modifies the context of a thread in another process (thread injection) 38->79 81 Maps a DLL or memory area into another process 38->81 83 Tries to detect virtualization through RDTSC time measurements 38->83 43 cmd.exe 38->43         started        process14 process15 45 conhost.exe 43->45         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 01:37:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ls73ofkgjasb7pwir2d6f2uxhalmhdxisi2exv2c37ck5mce7lrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1df31e1f77cb6e4a128c2eea27424948b7b8db593a958bf573ab95180f230eca
Formbook
a200ca72553397e7d6a4c746a52411f62819d7860e7330e2d45df32f3c952dfa
Formbook
b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13
Formbook
ba5cfc9373499678bbd2a9ca62e554be9c114d913cf97c00822917226df0bbe2
Formbook
c5dc5d0cc0ec3f2f607941f8d44019001ca18ab09abda656d4e68a5219d0e576
Formbook
c8ad050630ea954712c67d5c27e8f75542d78e7d43c81554c0a652da9218a880
Formbook
de3446d049a6b7189de5455bdd16e554dce659c21e7221520b131dd4a061d470
Formbook
f9c4bbc7b6a427a5fcd5d462d402456e604e7fcf1a21d350f3cc7f894f0e4484
Formbook
fe1140b9f51be2ad605b26a161f79839994aad33089412401912811eb6d569e0
Formbook
+ 3'459 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d0i9 rat spyware stealer trojan
Link:
https://tria.ge/reports/230725-jbs88abd56/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
e97015efa7b3c6373206d9f8e70ecd94da555837d3bdba4d301b73384490fbe9
MD5 hash:
3201888be03eda737b8f62aba68f9199
SHA1 hash:
9b64226fb85b69e2af66ce64ffdd90c54010e854
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/53657c7e-5028-4499-b4dc-bf46598ffc84/
Parent samples :
a200ca72553397e7d6a4c746a52411f62819d7860e7330e2d45df32f3c952dfa
ba5cfc9373499678bbd2a9ca62e554be9c114d913cf97c00822917226df0bbe2
5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
c22f7e6ed2e27a1863b7bf519f4254afafeffc69cadbee3ff2eadd3b3ed36492
2e6817886ae8c6bfaf55499d950bb963b5c176dd5adb5a9dfb8cde49d5bf394d
7fba8c621fc9192e73139b70878ccf8ed761b025fe13bef1bf74e1d5181ae48b
739428d0a73e227de5c5d32a2e9cb7b5dacce36cd48c05cce21e2dde28730a97
SH256 hash:
7b26cb10bf269511b6baaa4d397f9deba18954867d9f93147483afa9b65d3082
MD5 hash:
b4d1a9aae8e9886cc78b62fc9c3c1513
SHA1 hash:
d51f6e25234a4b299dfa11df83d7158b763613e3
Link:
https://www.unpac.me/results/53657c7e-5028-4499-b4dc-bf46598ffc84/
SH256 hash:
a92f2fcb90ac6724f4a6bbcdff52cbb39825badcf050c084b1db8e4fae0bac84
MD5 hash:
9c96fea52e113cd0f120102140bed23f
SHA1 hash:
4c2cbebeb2586d98097b2e4029787aa4f60a8f45
Link:
https://www.unpac.me/results/53657c7e-5028-4499-b4dc-bf46598ffc84/
SH256 hash:
fe2951073f917e22236f85b3ffa05ee2d0c545d84aa4c67b061144771bc6c96c
MD5 hash:
eec1b2af98f6d216695ff7994ef56eef
SHA1 hash:
162566fbb102844a7cc4e043bc36583d3766812b
Link:
https://www.unpac.me/results/53657c7e-5028-4499-b4dc-bf46598ffc84/
SH256 hash:
5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3
MD5 hash:
e8f558cb2cce6d7753cde64b792121a8
SHA1 hash:
91b67dbb0dfbdb313a8e33a00ee99c54a0db836a
Link:
https://www.unpac.me/results/53657c7e-5028-4499-b4dc-bf46598ffc84/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cbfb7154648/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8b26c2a146a3552fb63571009f464069774231814d7c27982a8d46b94469743e

Formbook

Executable exe 5cbfb7154648241fbec88e87e2ea973816c38ee892344bd742dfc4aeb044fae3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8b26c2a146a3552fb63571009f464069774231814d7c27982a8d46b94469743e
Cape
Cape
https://www.capesandbox.com/analysis/432017/
  
Dropped by
MD5 4cf0690f0969fedc003860b4eaec926c

Comments