MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b
SHA3-384 hash: 2f270fe96cf18e9266259bf532598b49a1cbc5cf41aa66639d2f62afd4e3b1bd9df0b6cc41c911b506452e4786ae2f59
SHA1 hash: 30d7f46687cdb8e122ba61f01bfe00fad146ae18
MD5 hash: 2adb08aa2d1edefe67ab0d44e1e68218
humanhash: mirror-may-seventeen-mountain
File name:PO0423024.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:717'832 bytes
First seen:2024-04-23 07:16:44 UTC
Last seen:2024-04-23 08:30:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:GrF9WMU99jwO4/TUOQDGVgsxVGz//vwHa4Gs56xNFedPMwIzFAgdfekodrsKkR:Gr2MG8O4gGVgsyzvX4GscNFedPMPFVxB
TLSH T14EE4128637FD9F41E7BBC7B8647889806BBAB896A631E49CDDD144CB59D1F048700B0B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
CH CH
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/66276070d2fc149e4119c241/reports/eb467516-bdb1-4ad0-9966-1dbaa94b521a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08d1b567-a472-4df8-899c-2beb4bfa3a96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430182
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430182 Sample: PO0423024.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 28 www.luckydomainz.shop 2->28 30 www.fashionagencylab.com 2->30 32 4 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 PO0423024.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 PO0423024.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 PwNifTgXJuxiDUX.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 takeown.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 PwNifTgXJuxiDUX.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.xn--yzyp76d.com 47.76.62.167, 49744, 80 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 22->34 36 www.happymarts.top 203.161.46.103, 49753, 49754, 49755 VNPT-AS-VNVNPTCorpVN Malaysia 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-04-23 06:45:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnor5klsqmiojevhfd7rifc4hgs4owkoxv23tryojvcnix433bnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240423-h4c72aed38/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Modifies file permissions
Unpacked files
SH256 hash:
c792814c622dcd7fae9c6592643672acb0fb98247396442a4716295e053b65cc
MD5 hash:
ad030f4f32ebe7efeb62cf3568706654
SHA1 hash:
cae8330f8542621c8f9a68616e3ff7819a89d6ee
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
cbe326134b1631488dce27f57d6b974a4b9d79c1dc7b72a0da11be6861cf77da
MD5 hash:
130ac7f266bc4c1a9eebeecd108b22f8
SHA1 hash:
d6a61049aae863ec6c6a5220c163723ef69b710a
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
1b992facd0057288dab5c02d1604898741db3a15d27040ba4085126c91afeea2
MD5 hash:
ef262d4cc4de4609996faa5c34f6a8fe
SHA1 hash:
bd48bc0af0d66a72017a245a9dbed51919f44ee3
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
3fa0e73845e326b338b8393c4cad1d5c3dde1588b02811ad37621fe744fcae00
MD5 hash:
e1706fa993408403e49ae06447f00c24
SHA1 hash:
901ee3790d15a28ba86d221501e86e5c30c8ac66
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
6677eb6ac229a9c915ad2f3abab12d3d4f62f97ac229103d9b6c726c59095faf
MD5 hash:
dd3e864e66d7366283782d05aa57b2d2
SHA1 hash:
3eb36f46c82369a4f08733290e2cd07f7c2f8029
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
0f3271408a98dbc3a37c9b2a03e5fd123b0f107bac1864e12aeb859b7a74bde9
MD5 hash:
aecfca8aca1914449e95444fa586f643
SHA1 hash:
eca226d23661569f2d2fe55631a80e587432a32e
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
cac930dc2a01449787d7c6db677a194ebf6d3ff4a62a7ede059c019bd0803e50
MD5 hash:
28bd52b4f022e68c5aae8029dc5e5367
SHA1 hash:
9f4a8b285afa016841987d8d53fd197013d3bb7f
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
6bcc1f16502ee77680c47bca68fcf108e2b8b05fed0ab37b058d3e71b7860675
MD5 hash:
325b1e86f963e0a2faaf83085612b5cb
SHA1 hash:
746c00b193903a993bf8a1ad02c881c25c5f64fb
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
1036613722e9a72f2167f6d8575edaa99182513461045a04ebb7dd3eaa60ac64
MD5 hash:
594f1d4db39fa1144d5274e35d09a6ea
SHA1 hash:
3eaa5686d427e3d927dfe9df7ed2e76691ca8c98
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
4da8a9f13b5c49b1d2e7e7d942211cae0aaf074aee29fa616170f972984621c3
MD5 hash:
d9820d334efc6e67a22ab12cbcf6dbd9
SHA1 hash:
1340a52e7a2d0370f0bab1a11b7ea648d321c730
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
2597cdf7e251ddcc1cbdefa2fda926de3a7666f3559a61c700b69a280aa63742
MD5 hash:
15c06e91cd4bd393a06a3e306b182219
SHA1 hash:
0b30afd680127918cd11334daef4d555ad8e617c
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
SH256 hash:
635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b
MD5 hash:
2adb08aa2d1edefe67ab0d44e1e68218
SHA1 hash:
30d7f46687cdb8e122ba61f01bfe00fad146ae18
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/fb5b75a0-5e97-4e5e-b01c-9295cce62cd3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/635d1ea97283/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 635d1ea9728310e492a728ff14145c39a5c7594ebd75b9c70e4d44d45f9bd85b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments