MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef
SHA3-384 hash: 0f61af31e98ede58f802163a79b7ae66a8c2b40cb094d622d0d79153b44305038e5b8f574f1f19c4ba119174d4e83d0d
SHA1 hash: 0a6ee4aba4a40e776cdf2a6cc22530493514ef10
MD5 hash: dc32dd7566e39e3ca9de87ba4ae5d550
humanhash: fix-cola-hot-vermont
File name:SecuriteInfo.com.Win32.InjectorX-gen.14764
Download: download sample
Signature Formbook
Create hunting rule
File size:435'712 bytes
First seen:2022-09-27 05:13:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:bZbH/DnfeuFcXJyqSumU2LGzVGdvr3r7/JPNzDRJjoUpWKzrnHHP:FLWLEqrn2LGhGdvr77/J7J8EWKzrnP
TLSH T148944E2C3B064E66FD0EC338450D0A24FFA60B8372C0E99657CB5DC9C74E5B65EA5C9A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313790/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.14764.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6332869c6ac03cf4f96465d9/reports/7bd34390-9011-4441-9a17-a2a3424cfac0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d87e1505-dc4a-481d-81fc-c384b555994d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1078001
Signature
Antivirus / Scanner detection for submitted sample
Binary or sample is protected by dotNetProtector
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 03:54:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=myuvmhe67fnha7lv5ijs7hrkiijs2grusfm3kmywsvqsyeeelhxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ermr rat spyware stealer trojan
Link:
https://tria.ge/reports/220927-fwz1qacef9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/afbf63af-78a7-472a-b4e5-1eb50f4914df
Unpacked files
SH256 hash:
8fda183554b3dd885b01c76b0b711ad379fe9d35a0bcc893a1af6d624efc0618
MD5 hash:
e1362bdf16ae7b626bfc22de9d4b804b
SHA1 hash:
b4dc6e54d5c5ccd571f0fc8dc03d994f294c86f8
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/18c29276-e600-4ae5-8891-4de0c42b10da/
Parent samples :
4fc089dfeb2d2197d951123cb0bf0fca8fc4660621db9590ef0c83234bccdef8
d1ee65ae6b1b208435233e5fd097225a2763fc88a429a44c84ff82f05bae7af6
237ae90b2be47d1dda459210b49371fa2b1b0421020d44c583ed82e35018f5ad
b9d1af8276cf63d97d87599d39d3a0f714d184354a095578ba71e7ab1761b2ba
f81a6b81b1105f6f054218defbc7abd72b3588b7cb088b754ced7e72e4f58428
7605a345fa75ce61499e5f4d15cafb9f55a6918c82125d84a5ed45af2a28951b
b4c92fea2acb348367787f04588a082a0071187db0ebf990c0fc01cb127db391
857ba872cec7026dda75065dfbcb2c865fb68138ef1b337db8f464c429adc744
f87448574d4c3b106bf98dbc26d79049a1e896e749689f4d9b53f58baf54f85a
646c54d0a33a2c5b79afae4036991fcdfbc93fdca901b6bb223e4a11ac829c91
997ddf2c262b81f9958114f786bb8346fdb06a3b91742261ba62ccbfd6357919
e40cc1e086118c071c50531a73ddc7a81d21a5fe9cc38a5f851777baf38270db
b6786398b0f14b5012742f9eab35abb93ce97e44249b2df5569f2896eeded7b3
f7b7e8fffeb0e2b5a6ce4121cc8c390a4e7357ee882500b85134330b90a7250a
f64b452efb1b1282275898fb7d3c434d5bdff6a6d3dbbec9503cbefbea2c28bb
ae5b79157725bbacf7138beacbb877a5144a3e5818232b5949032941df21f7a4
6d8111bf32a57d9434c93c195bae6027026df763c461a29fd3a9096b6005ac0f
610bfdcb0da8ebf5881000cde93602f72e5478bf6aa36d006a6cee6cd0d2d0e8
d5b608db4fe6085410f17589c795cbedf2116d78f6c03e8e32d549e2830334eb
a487cbe824a3582aec4780d489616050c47d28b088002fb08859de303a7f066b
e63888f77bc3f94c9d9df0eba9a07eca08c09bac58b8b10e02d0e6abfa1e340b
de2f27e35f85099ae0f5c6e1761ee0c3a55d2538abc91024f779f49af17491b7
3f484db21bfaf4f98b9cc9446c3d667035bcbf576b1d6294daeb2bc9a0dcba88
92da95e0d9976f11d4948b310dbb72cd7823f93eef5bc2bf56a1626b7e919819
7b31ba7b2efc104b3c0152939a129a39bdd9a64bc466937d26083e26ff2a3967
596fc0ee421983f0c37473ceef7edb2eafce5fdb9f21cb57eb1581b8558141fb
98bfdf2b6ddf2981255565dffe340490b0c137f51e529cb949fa7d9361e6b6c9
7fba10863aceda526f8bf94084d1cc870462809c4dedd0a0bc2586a41d0e224f
f6b9e317de701ebea1d0c582acd12151c862a36c80c4ecc61a60a8734011672d
84c66ac36c0a7d490d09e9249d2b785c40b33196991cd7d0c8f70e4ecb489b1b
88d9e782e9855e8c0a1fc27b952e465a682affe2fdd48215ad395235944f183d
27443a135833383c3703a86a6c6a0b2487a6baec2a4ae49bd0612d44ff7d445a
eb54f0af0a562328ceaa0010cb0d742fd8384c5b53df37bf032caf4a8e0ecd3c
657592020ac6b0629bcd7f8d72a5eba45f972f4e6384f1b95bb55b9b34f1cdf2
f061719431bc9dcb0e9c9ecdea6a8110ac98be4e1a10f4b3311116a29fde62e6
5d1e9023179be6ae4034ee8f145df56d8a9ee4dea60bea2fc2ea3ac687456e53
aca6d2aa90b0a03b84a08fcb4e4c28ac9502e0b32d793fba0a92e6b9fa46fc61
7351dcd98b075ab0d6126a93b977479fcfdba800b3e8e31cdf95fa673bd90ab6
5e5780629616b0bc11c3f9476fa99b6ef84d77ab7b1fc76afd336806a6fbb78c
6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef
82817b80c5865d3b1d31ffd90e7866c0bc37f8f5657dcf3ada32596d885aa56e
f6538d9666e7ae65a8a5e8551808ee946b99b9f8fb189e65e7a06eb4be014e28
5d35bb95e95e3e166b00362d93f852af93448a4039894bbe25a55e79b29084d8
362bf939fb73269fe4298d695eceb9dd95161f6346b75fcf1b756010903d05d3
b73d0fb5884e5500f6dceab8efdbc2d33d4e537cb3a3f3f5ab1cb2922b09c2ee
3638fb29f35159f40a33f6b6ef0ea33ab9439cca80e8359e99be2c396d18713f
11dbcfdceec06e7717841791d3b746f3324c67cddfd885303c11b413aec97c3b
cb1f078d6b83e4ce872ab7f7456fdf91d7e9dbc00262398e95ed84573918b658
f17acd7fb58d9db33f1cecf38589fb0db2eb487cd912fba5eaf01a89a6a15240
7766a78b305f28b145b32e6425127a3849606532591e05a06750b5db646ab861
29a1d9515180dcd75177189eb26edb0fcea857e3896afd4a92851f8561c234a8
f682321268a01d4d9bdf0e5bb399a0bae6f414c9a2df33e78bcbd06883b652e3
4c7048cf8c31bc34f68fa32fc9c6b27c2974be8538067ff84083772e25d61ad3
f5c79f3545714578c9324ab0d9b9e88b08a269e8762f033528f5a1df5b0a8b1a
8999daf253a27047f199a55f5136bb17302e813e43c050be5b8eebaadfcb5637
1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22
d47d49cd796ae4edb78a48be2c960a339616347fb104cf943213777fb8fb2bba
a264f00c82a399cd4830c266900ac47411139bca815e43211335ee6493b3f59e
e99dc54786d789c023b028074e4fa0858d1cf59a04d7fd2f33319a24dfd7a978
211c3761276409fe3fe34d3d8a456c37447096e24747072f126f8442c27acb89
6915477276d502fdb2ecdd42c13e4d95d9c82ccb547c4602936188334f7d8879
6e2cfa82ae69619d10fdee4980eafa5d2984f3f55d835693630bb439363d5a63
2dd30dfaf4538cbd96416a048a186fd8e98556f58402cafa47e1e1064a4fb44c
969fc6fade1be7419194f03599a8eec7fc743fae38ce0d766a9da83d3cec33ea
49a68c25c4c0bce21dcb92280472d00c15f2760aed1d560c6345c129552db085
eba5bc066fba387fde051bc32095e05519c22e26846e28383b8b054a808cff72
15fb929ef970e4764fe0e9c9e5505c6676e399dd27c1ab22e9b2eda7366f44ab
0dd0508de0d811f8f25cd0039841089305c64b4372ebbe7a689c341319cca1e7
640e1f98387d8184a8b69457da56206b24c7893b5568fa2c8d7cf6ce65f016ba
1d471d4c679e7c68369a2824adb475071d80878c73de43bce4635a410b4d3d17
548e9ac8928762e38122e1103413a62ff60360fd5a86d31c30c13bc6d148d054
bf247e453b7ca8dc15ce680cf5ea6c20ee20805eb65d7211f8bf79d18d1fa8ce
a0ebe82950f6b89f3e81d1338169542baa885c723184b45b662aba9bfebc7b5e
8f006cfee4fb6771f2165a90960c0b8996022d745b8027779e1562deefe4078f
781437ade29c756dce9bf998c973a43e41a5657f3aaca693ed212cca7319ddf6
3a8ffb2723506e0e3186e82709d5be53f9bc0f663ee66314df5a9401c33bb098
09c6c3fb285452ec7d1a384d0ea30e7243d877e4318a2a4935e12bbce26adab9
4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc
610870ca03386b5db56b91e5350151fcef8546d0ca23bd8baf5f491e5165e9ad
fa7cb68dcc30d6c185f69e43ffb2b36d4abf18fc8e09eb6e788661448da16692
f4f98873e224a38eca6d75f1c93183b1384fe113ccc3ed3caf6d9298426d1c77
1d188f68c383a77ec683add4d1ac705d7954fb6c353d03d869a55d9fc3efcc99
c94dcdd859b89e353d599790307f6535597d02a53bc6998760e3da07c3342d7f
a20e20842a8ccda3eafb749ba08c4b8a0e352dc150db7c86b69ebaf6474437fa
a9e4ca8929c017ea8c922b2657521c0b82f9cb48d8a0606cb16365f103db3359
d5dea31baee8d51d78547241db3e253b1f7b65ae2e583a11e50d45167be46522
9d51c48a7d1ec4f8d448f251d054f20e1c84ba3c282c88678e9220353f115465
3ab9378862ed7e3a174d4b022ed8b38eb0838d24ea2b6543be055552633e50b9
815e4f0d10bf4c941206a714024bc6c50b84c944cc04baf3e5ae2eab64499e79
cad96f4ec9c476fcb177a351897ccefba0fc7f8b1f01b5d6fdc521703eac8715
46eafe2848eb7e0882b7cb25d63f3b5759655fa4213c659e2d030d7681f6cd10
abd1263e4a70dd2d1e7f485b7b47748d3323567238a83dea6909d8275458028a
2cb3873f243c65ccee7f67721560fb3958c1afc366b3755eba75ba3d38cd0c7e
a94d1c321b8abad8ed617190fe77623d40928262cdbdb81408caf2d108425f32
4ec38c8028003269f3576dba1c4776266a9a8c4d26eb91e2148b1bc1a9994a7c
d7cea03b365915daca02b65926c2e720838c3ea1166e79ca73ddafd753532174
c0d25313398ba441d25a991187ba627d706b3f108f6f235b28e863648abfbe9b
0bbbd33974826187303484cfab5e7172ad9360ff5cc3ddc6f4f4f66bf5888694
6893a680b837bbeb3544cbd24a0046386ebd972947e132f7e10a1051160caa68
9746664201bc06916ab09deb02fc11ed4442c46f41135f7f3e87f43d9212f2a9
89f3942d0650523481efd8158b4ced2f49b41fba883983c4fd6fd94651b51a68
cbfde80f4e67b22e6eaef89f8cef6ee264c5f7728723a881075a89690ca5f772
0821f5674ad4c289f7427d30cb4fab55a0d1e2e47cc3a63ee6ab93250985a0c5
2da2b75765a8689abb9830438373254c7c9f5c745940d7fd226afb5ab8be3a93
SH256 hash:
6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef
MD5 hash:
dc32dd7566e39e3ca9de87ba4ae5d550
SHA1 hash:
0a6ee4aba4a40e776cdf2a6cc22530493514ef10
Link:
https://www.unpac.me/results/18c29276-e600-4ae5-8891-4de0c42b10da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6629561c9ef95a707d75ea132f9e2a42132d1a349159b5331695612c108459ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313790/

Comments