MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e
SHA3-384 hash: e7d6e1b8b42bb717c7006cd191460d202c31c5e1bf252b4e51ae4e4f1033fa9aab9a2a2ada44754df972b95c937f5f39
SHA1 hash: 1c986efd78231e4acf4755a1cfb35d29f4d24c91
MD5 hash: b4b5bca46ed18345132f3797beb6c744
humanhash: sink-delaware-five-bluebird
File name:ORIGINAL_DOCS_BL_AWB_CI_PL_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:447'112 bytes
First seen:2023-09-04 08:23:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:xYGrcobqlo/d5JKYjfPVuFghwVqKan4W84uBg27QvCaloQ:xYKqlo/dzPoL8N4WfuBg27aeQ
Threatray 29 similar samples on MalwareBazaar
TLSH T1DE94CFCDE71194A5EC279271247DDEB70B2B9C6E28A8289525C7BD773C71093303B88B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ORIGINAL_DOCS_BL_AWB_CI_PL_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 08:25:20 UTC
Tags:
formbook xloader stealer
Link:
https://app.any.run/tasks/4c18e037-cffd-4c4c-9945-5f622daa2d70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445986/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.25679.28797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f594244578d9c35e0123c0/reports/b9e6bdbc-9ff7-4fdf-92c6-42179204d216/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f20cd5e-608b-42ac-813d-eac236374b51
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302718
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302718 Sample: ORIGINAL_DOCS_BL_AWB_CI_PL_... Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 5 other signatures 2->48 10 ORIGINAL_DOCS_BL_AWB_CI_PL_PDF.exe 18 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\uqcea.exe, PE32 10->30 dropped 13 uqcea.exe 10->13         started        process5 signatures6 60 Multi AV Scanner detection for dropped file 13->60 62 Detected unpacking (changes PE section rights) 13->62 64 Machine Learning detection for dropped file 13->64 66 Maps a DLL or memory area into another process 13->66 16 uqcea.exe 13->16         started        process7 signatures8 38 Maps a DLL or memory area into another process 16->38 40 Queues an APC in another process (thread injection) 16->40 19 PFZkxuEQKNYwmEsAvUwu.exe 16->19 injected process9 process10 21 cmmon32.exe 13 19->21         started        signatures11 50 Tries to steal Mail credentials (via file / registry access) 21->50 52 Tries to harvest and steal browser information (history, passwords, etc) 21->52 54 Modifies the context of a thread in another process (thread injection) 21->54 56 Maps a DLL or memory area into another process 21->56 24 explorer.exe 1 1 21->24 injected 28 PFZkxuEQKNYwmEsAvUwu.exe 21->28 injected process12 dnsIp13 32 whistle.news 84.32.84.32, 49734, 80 NTT-LT-ASLT Lithuania 24->32 34 charcoal-id.com 202.52.146.246, 49735, 49736, 49737 GMEDIA-AS-IDGlobalMediaTeknologiPTID Indonesia 24->34 36 3 other IPs or domains 24->36 58 System process connects to network (likely due to code injection or exploit) 24->58 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 12:35:34 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfc2i6krtqpo36ao6xh5hlj3xdalxeahsmlmd3zfjutihgsrofxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
032d41e43c7f83d6d88dc9e1c63e7fb7f2af670433336e5c892effffd49dd328
Formbook
16c15ef7330e3f3d1915b88ee65986e3c49ae85d26e87e11b2a2f0e7b9202626
Formbook
32119baabd1fab988ebaf2f5692f46c797902e94b52729c27f30f8e579feb530
Formbook
4a63fd45dcc97cf19892173f6101ff932109f8e3c382db28ea077c63a65f203d
Formbook
703f6ba3c612e1c35bc33fdc2201f9bccc1f8a146ce8b1008b47f581e89a77a0
Formbook
8e06e30fe6a9c4f64a09da567c0a6d2f01b49622f535122736d1dd7177b7f9be
Formbook
b2d76e91d736201b7e8fb9780594693cfc3106285a4886e9b40007fdd7e56359
Formbook
eed7a348e95b5acd69c7cb10f4e4e44083ec2cd76c148dcd7fc604a625a52e6d
Formbook
fc563ce0d3583e88222493534f0f02d94ca9dab17c906c5deacf7132852b51b4
Formbook
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230904-kap1vaef9y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
fc619d50ed7ea50e6f21c30bd899ba4571f47cdfe6ef7d6132b33b44d16de94f
MD5 hash:
ade20fdfc577503604de507984e7712e
SHA1 hash:
250d6eb204bfd4a96af4d94539e05c1405072d70
Link:
https://www.unpac.me/results/3439f530-e0c0-4e98-bd53-a43fa9ed1b3f/
SH256 hash:
ef10fd7bdc32340aa3d95e56cb394d8e38c2eb354fbb51c0ffd40bf2580e9584
MD5 hash:
f60f15a25cf9f627403b81b094c973a0
SHA1 hash:
5ff85169e7016d94283297395ffae3c50a89883a
Link:
https://www.unpac.me/results/3439f530-e0c0-4e98-bd53-a43fa9ed1b3f/
SH256 hash:
6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e
MD5 hash:
b4b5bca46ed18345132f3797beb6c744
SHA1 hash:
1c986efd78231e4acf4755a1cfb35d29f4d24c91
Link:
https://www.unpac.me/results/3439f530-e0c0-4e98-bd53-a43fa9ed1b3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6145a479519c1eedf80ef5cfd3ad3bb8c0bb90079316c1ef254d26839a51716e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445986/

Comments