MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7
SHA3-384 hash: 2b43223fad37988cb14854c9fe93d6ede4a91de65192b6d6db6efce7acad737e7e5bb9fff1fac4ef46e9b137947e8fcd
SHA1 hash: 0780a909530af3f525d6d99f4c39513d44f37dda
MD5 hash: 0944d13b16324a1d31ecf6fc3fb5fbca
humanhash: quebec-west-speaker-iowa
File name:SOCHIDEXPO_PDF.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:309'577 bytes
First seen:2022-10-10 10:38:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:kNeZ/jRjjvwgj1Hlaocbh1UKZtIMFZwFr9BvlnYzmNf0:kNsjRXYt11Jt0FpBvlnYws
TLSH T151641248FA74C8EAEDF56F300D74797A4E77AF32916091271FE47E44BB36642980A348
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8432ccc8d6e619a2 (2 x Formbook, 1 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318316/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42203/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343f6471ddf36bcc3f4381a/reports/22d3b538-7e53-4d84-aae2-045d4f643da4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9373417a-f6b6-4a11-97a3-5fef436096f3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086801
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719359 Sample: SOCHIDEXPO_PDF.EXE.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 35 www.spaceappschallenge.space 2->35 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 8 other signatures 2->57 10 SOCHIDEXPO_PDF.EXE.exe 18 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\egpsroovgo.exe, PE32 10->31 dropped 13 egpsroovgo.exe 1 10->13         started        process6 file7 33 C:\Users\user\AppData\Local\Temp\6029.tmp, PE32 13->33 dropped 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 73 Found hidden mapped module (file has been removed from disk) 13->73 17 egpsroovgo.exe 13->17         started        20 WerFault.exe 23 9 13->20         started        signatures8 process9 signatures10 43 Modifies the context of a thread in another process (thread injection) 17->43 45 Maps a DLL or memory area into another process 17->45 47 Sample uses process hollowing technique 17->47 49 Queues an APC in another process (thread injection) 17->49 22 explorer.exe 17->22 injected process11 dnsIp12 37 www.mionchun.com 154.218.174.74, 49707, 49708, 49709 VPSQUANUS Seychelles 22->37 39 www.morescort.com 91.195.240.13, 49710, 49711, 49712 SEDO-ASDE Germany 22->39 41 4 other IPs or domains 22->41 59 System process connects to network (likely due to code injection or exploit) 22->59 26 cmmon32.exe 13 22->26         started        29 autofmt.exe 22->29         started        signatures13 process14 signatures15 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 Maps a DLL or memory area into another process 26->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 10:39:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l33awomby33j4tocc33ny4oe6q5jdc3cl5vd3g73zyqgoaln36tq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:i3tw loader rat spyware stealer trojan
Link:
https://tria.ge/reports/221010-mpymmsbeb5/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Xloader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/13ab5dc5-aac5-439e-9e9e-6d0d9886b662
Unpacked files
SH256 hash:
6f9cc1e2aad3c4b2fde068f0ae178ee04442f78a0e35ddbfe9288a98964784d6
MD5 hash:
9594aad4db796d63a294492b7a44c48b
SHA1 hash:
916dcc5155c9e9e3798d423376cdd2bc7a49df4d
Link:
https://www.unpac.me/results/55a82279-8f9a-4c28-ad15-845b2ef35d46/
SH256 hash:
9c3c8d8694f2930955df11cf0485759035c6a87e5888939bca7e22dab252db0b
MD5 hash:
a411c80d8e14b960370a4e30e0fd2100
SHA1 hash:
4b3e040901320d20f70e053b43e7dea7a8d83069
Link:
https://www.unpac.me/results/55a82279-8f9a-4c28-ad15-845b2ef35d46/
SH256 hash:
5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7
MD5 hash:
0944d13b16324a1d31ecf6fc3fb5fbca
SHA1 hash:
0780a909530af3f525d6d99f4c39513d44f37dda
Link:
https://www.unpac.me/results/55a82279-8f9a-4c28-ad15-845b2ef35d46/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ef60b3981c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ef60b3981c6f69e4dc216f6dc71c4f43a918b625f6a3d9bfbce2067016ddfa7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318316/

Comments