MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a
SHA3-384 hash: 8b5c75d9f90a855a7c0f961dca4605638b110d5b3ff106f95d75ad12956914dd0b01c85fdf4e06f071dc110e28b2639b
SHA1 hash: 973dc1db4ef4fa87796a2d56bd7d3ce8a66318c6
MD5 hash: e153fb09c6996b4d1084836e32414396
humanhash: oregon-green-april-west
File name:Shipping Documents PO# 2040024998.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:243'598 bytes
First seen:2023-08-16 13:04:22 UTC
Last seen:2023-08-17 05:44:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 3072:HfY/TU9fE9PEtuGb4LnneJFbc6nJoSMzGe6Wrx7JNpOIigLbtbtj8c/5Vl8gNVqJ:/Ya6GBJjox6WVcWlR/5T8gNVqqWCSJ
Threatray 3'671 similar samples on MalwareBazaar
TLSH T1F7341218B390C5FBE4824B314935A6A79EFC99062AA2D34B13505E5CB933792DF1F713
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
263
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Shipping Documents PO# 2040024998.exe
Verdict:
Malicious activity
Analysis date:
2023-08-16 13:14:21 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/9353e7b0-9925-43f5-9c67-d9b41b6e5ec9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443040/
Detection(s):
Sanesecurity.Rogue.0hr.20230815-1338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102978/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19d804fe-edad-4749-ac49-632ef0a44bf6
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292137
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 10:13:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpjvhp4sxoou7iywkyyi2mfdtoi3rxkaaxlckricwhuctn2k46na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
190090b95e7c9b2410ceb2149bb1c4369550963e56693e331bda3d020a0018e2
Formbook
3075ce1d8754fd33aba3041411c6f1465abdb5c49495b18511c656589db79ba9
Formbook
5f4316e6d654f612b1aa557b15eae6502979697bcd4cdc101b49c2297a6dca14
Formbook
61894dd6d947ab1237c08e4f020e6462fdc7a96903c7cf27523d4e21304c1612
Formbook
69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0f
Formbook
7a123e291c6c3bca48da92da78abd1157469dd5885f7af234e9114bcc5c8f061
Formbook
a318197c6b7d13969ec28187327e1005ac7d39f969ef27b81f7967870e896378
Formbook
cc1e18df25ea2f4e3a97b78ceb434ba61318eae9ee868d62bb1b3b8e9dbf2c7c
Formbook
ce4adf5f77ad3bf554ee6727abfe3c82e49ac5097e4e8d50ba2faba0d05b9c1d
Formbook
+ 3'661 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sn26 rat spyware stealer trojan
Link:
https://tria.ge/reports/230816-qbh7ksba27/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a
MD5 hash:
e153fb09c6996b4d1084836e32414396
SHA1 hash:
973dc1db4ef4fa87796a2d56bd7d3ce8a66318c6
Link:
https://www.unpac.me/results/ff09b760-3daa-4842-9a7a-436a4750c676/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63d353bf92bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf

Formbook

Executable exe 63d353bf92bb9d4fa31656308d30a39b91b8dd4005d6254502b1e829b74ae79a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/443040/
  
Dropped by
SHA256 68cfc89e9e632f47255727d82390400f4207f8999725c83ab346ead1018a3ddf
  
Dropped by
MD5 2824b78c696d22d8374f8b4d21f4738a
  
Dropped by
SHA256 d8949809f679156919ee2994576eb7d86f67b1541ee32b5f13745ef11195ab6c
  
Dropped by
MD5 b8af5bf79bd532a7a39e5a155203e061

Comments