MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
SHA3-384 hash: fc9c74f6444b649bc702b37b0d7132c9c8ef4651b761a3eda46c9a53cd3191f6024184145276ea6552d2387ef3030843
SHA1 hash: ac6929facf7cb026b347e90fd050ec86f99b6a8d
MD5 hash: 48504c79581e8676162a135850196b9b
humanhash: north-tennessee-sierra-wyoming
File name:SecuriteInfo.com.Win32.PWSX-gen.28393.10042
Download: download sample
Signature Formbook
Create hunting rule
File size:667'648 bytes
First seen:2023-07-19 06:30:54 UTC
Last seen:2023-07-19 12:27:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HPYPfY7XzFl5AO3n5L8YUY3Hyr20IEEiOtk01J1khw9:HPYPgDzFl5AO3nBU1K0IwOtk0z1khq
Threatray 3'295 similar samples on MalwareBazaar
TLSH T13DE41240A7998A17D0BA03F85B30970053BC7F816527F9099FDBBDD9786BB404A62E37
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
279
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.28393.10042
Verdict:
Malicious activity
Analysis date:
2023-07-19 06:37:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/caecd180-1c35-465b-a667-fac43f3d861a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424498/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28393.10042.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64b78328f3c193545ac6c58b/reports/158208e2-d402-4848-8b27-38a057ce0b75/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ce5bc096-11bc-4423-8b49-4201f76c21d2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1275711
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275711 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 19/07/2023 Architecture: WINDOWS Score: 92 37 Malicious sample detected (through community Yara rule) 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 7 SecuriteInfo.com.Win32.PWSX-gen.28393.10042.exe 7 2->7         started        11 WSLJuDOQkHpW.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\WSLJuDOQkHpW.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmpF916.tmp, XML 7->33 dropped 35 SecuriteInfo.com.W...28393.10042.exe.log, ASCII 7->35 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 SecuriteInfo.com.Win32.PWSX-gen.28393.10042.exe 7->17         started        19 SecuriteInfo.com.Win32.PWSX-gen.28393.10042.exe 7->19         started        51 Multi AV Scanner detection for dropped file 11->51 21 schtasks.exe 1 11->21         started        23 WSLJuDOQkHpW.exe 11->23         started        signatures5 process6 process7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 21->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 03:57:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nihfnbxikigjyhqysi7emtus5ptnglxeegoj2gxhcikyk74rpmfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
085692e71ab34556d9c9ca011c81b75997225a5c2a9b6047d8d701e77ec23e06
Formbook
1d8ffbf2a386718acac9f307a0b0315be1831b7a3407aeed7cd4b510db02a72c
Formbook
20951ff7514d86ca63b5560cb127f2da1bacefe032c8c839f1aaea354478b821
Formbook
653712fe2ab77c16473454a92a6ee7200e7c9600262bbb24e14612bdf393185f
Formbook
8a22014ada2999b66ab041f0aa93f42fb50b481778ce709272209dc9a96a9135
Formbook
b0ca90a4a10611f098fc18e528de4ad9f37c8272a525cd9fb44f8db874f25038
Formbook
b166f8281abdfa0539055969167c53f0d389af8bc8675a7455c1b74da2dddaa7
Formbook
c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182
Formbook
e1156b2e6b8500afa5e8a45d46a3420a33be357d5af362a224dc39e253fc720f
Formbook
+ 3'285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230719-g928nsgc32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
8b14ddfc9e7a125693eb61f245cd254dc665c907d77cae050718e5b622260237
MD5 hash:
5453fa81bf6d8dcb2e930af5f721ea1b
SHA1 hash:
1ad534a06736f927e9d39d86112719cd2a24661c
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
Parent samples :
6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
fa89c3083bfde83eb9d216c5e303d1c1b1e21020501da5f7cfc1ff167cd2216b
c0bd2ff7157746e5ca7b325696c5c2d8c4258b205fe8789763d4a923e012c986
1257726baaeca6e8c000406ceaba2ec70fa53371d331f8e6b39bfff8bb0a3a02
SH256 hash:
4ea7d1a12876b7541aec2f41c3fe6ef7cb7d1ff7e938c7163e892a8d6ac11e54
MD5 hash:
fb3dcaa76207448c71daba69b5f00f52
SHA1 hash:
8c0665531dcd4a540b2fb953ed896e54736a63f0
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
SH256 hash:
45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c
MD5 hash:
ca775551666be768a9241f43eec98b87
SHA1 hash:
fbbd937067a24c48ee5274d3fa2881a991e64f3c
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
SH256 hash:
1df8a98367f5b15497fca6bde9e712146b359f74cf09c4b4acb6cd3e866c9c08
MD5 hash:
b9d4096e77fc0351bebc0f51781c46db
SHA1 hash:
8a4a7bb1fae5a07fa1030faa4df7e64ebc5e118f
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
SH256 hash:
6a0e5686e8520c9c1e18923e464e92ebe6d32ee4219c9d1ae71215857f917b0a
MD5 hash:
48504c79581e8676162a135850196b9b
SHA1 hash:
ac6929facf7cb026b347e90fd050ec86f99b6a8d
Link:
https://www.unpac.me/results/8f6e828f-ffde-4e09-8373-a5c8f92f3efa/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424498/

Comments