MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1
SHA3-384 hash: aa0792474dbd8989ef12f9df0c5fe4f42e15bff307ee3f00307b7c9f49e5c622b958e07bfca2164f8e7225fc90797b14
SHA1 hash: 00e54dad1cfcacd0b38d52b3eae9a8ccdf116757
MD5 hash: ea95f133e9f4119805e59a6f2d757080
humanhash: idaho-fillet-one-saturn
File name:095266145627716.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:975'360 bytes
First seen:2022-09-21 06:14:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e30ed541c68a06f687211f823e9f1f7a (2 x ModiLoader, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:CyQCv11PbnjANYPAj81OUo6w7tNTa9W8AoqiVNW:CIP6sOUzM
Threatray 15'216 similar samples on MalwareBazaar
TLSH T1B0256A539290C737C22E61307D9F225E7F99EEC028181DA277A4FE7C9B3AD5067D2246
TrID 31.1% (.EXE) InstallShield setup (43053/19/16)
30.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
9.4% (.SCR) Windows screen saver (13101/52/3)
7.6% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
095266145627716.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 06:28:25 UTC
Tags:
installer formbook trojan stealer
Link:
https://app.any.run/tasks/2c012237-65e8-4b76-a21c-002a6cd6f2d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311952/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38364/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/632aac76e64c53f047fa0f4f/reports/a548c332-3a8c-4ba7-97c3-d34792da2f29/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/239363af-ac1d-46bf-8f76-8dd5f2ff961d
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074373
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 706910 Sample: 095266145627716.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 37 www.trisuaka.xyz 2->37 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 11 095266145627716.exe 1 18 2->11         started        signatures3 process4 dnsIp5 45 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49703, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->45 47 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49700, 49704 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->47 49 3 other IPs or domains 11->49 33 C:\Users\Public\Libraries\Aldlhamn.exe, PE32 11->33 dropped 35 C:\Users\...\Aldlhamn.exe:Zone.Identifier, ASCII 11->35 dropped 77 Contains functionality to inject threads in other processes 11->77 79 Writes to foreign memory regions 11->79 81 Allocates memory in foreign processes 11->81 83 2 other signatures 11->83 16 cleanmgr.exe 3 24 11->16         started        file6 signatures7 process8 signatures9 51 Modifies the context of a thread in another process (thread injection) 16->51 53 Maps a DLL or memory area into another process 16->53 55 Sample uses process hollowing technique 16->55 57 2 other signatures 16->57 19 explorer.exe 16->19 injected process10 process11 21 explorer.exe 19->21         started        24 Aldlhamn.exe 14 19->24         started        dnsIp12 67 Modifies the context of a thread in another process (thread injection) 21->67 69 Maps a DLL or memory area into another process 21->69 71 Tries to detect virtualization through RDTSC time measurements 21->71 27 cmd.exe 1 21->27         started        39 192.168.2.1 unknown unknown 24->39 41 ph-files.fe.1drv.com 24->41 43 2 other IPs or domains 24->43 73 Multi AV Scanner detection for dropped file 24->73 75 Machine Learning detection for dropped file 24->75 29 cleanmgr.exe 24->29         started        signatures13 process14 process15 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 02:55:53 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=msqomjrwtr7ldqux7mqvqwwxd3pkaew3r2hucuziqaglzg57dxqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c32394238d4d1a1865110e6f226475422a241176c28f909f114204bf9af9a92
Formbook
4a71e4db2ded6a9e2418c5a47506cc2a0b42feb42dc32692e8ef3ee3c959b3a6
Formbook
57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
Formbook
663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
Formbook
8545a266a50d8b5dc65790c7ce2b6d74f89641c731d53b44bc5b89cd143c3303
Formbook
8b6bed9a53981b3909a06544e89849fd738f9aabf912c36e21777677204e251d
Formbook
ceba84ad5d66f56b623ba771fbf63ff8aabb933047f8787a082df73c9d2240bb
Formbook
d141b9e994a78ea1081fd3ea0768e3c7f01d3f570910923a5ace448b98e63e14
Formbook
+ 15'206 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader campaign:uj3c loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220921-gzxkfafec4/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader Second Stage
Xloader payload
Formbook
ModiLoader, DBatLoader
Xloader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d65d8ed-1570-4b5e-912e-8337a5387e22
Unpacked files
SH256 hash:
0d83381a85ed5b84c22d4c4d2e7b321e0bf6d4b99b75ffe7f1fc0a88a8b67fc2
MD5 hash:
37915e9ca62e3993fe4c6fa848aa2e4c
SHA1 hash:
c4adac1b54de33c48e5b4810b0a09346a47b0bc2
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/ce20de1b-95bd-4866-a05d-4b199ce598ea/
Parent samples :
96c1db348aa67b1fae276b04f213b50936fad0e044042b6c43a7d2c8f15d4c1c
64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1
69030d7bb20e05dc3730aaf09d6815c2b5d46fe8ada819cc4c90e1e37fb173a6
d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55
9edb5884eb282a8c920ddd9ea25983df592b8a5dce6dbe36796f83a5076ac4db
SH256 hash:
64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1
MD5 hash:
ea95f133e9f4119805e59a6f2d757080
SHA1 hash:
00e54dad1cfcacd0b38d52b3eae9a8ccdf116757
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/ce20de1b-95bd-4866-a05d-4b199ce598ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/311952/

Comments