MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e
SHA3-384 hash:	5d4e49ff3ffe75d3b2a4d527a63f3037459494c9fd4661c608b88f85ca19c0ea06c609cde429b28837251a52e0f460ec
SHA1 hash:	e48553919d40d953b7e4c98abce999bc8f2ced51
MD5 hash:	14cadcc54906e374d407e8abfd758141
humanhash:	tennessee-oscar-ink-three
File name:	PO780.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	669'696 bytes
First seen:	2023-07-19 12:53:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:UIPYPfY7zJmysSiCXGz4jiyQ6F6wYfePpy30qrAaL/DhdjnsHomv4XIIE:tPYPgJ3uv6FPYsqrAajfjnPmwXIZ
Threatray	3'387 similar samples on MalwareBazaar
TLSH	T153E4120029688723C7B4C7F95324A34463BA9F9D3552F12D9FEBECCA7266F052A50D1B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO780.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-19 13:02:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ca27fb3f-1091-4a81-b5d9-8fa40586d221

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/424884/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.31791.21615.15340.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64b7dced46e64860de106444/reports/8084de1f-c8d9-4964-84dc-b1d29ea46bf3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4cc31ed3-2a32-4940-89fa-413438b0d7d3

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1275961

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-19 11:21:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqpwuucmwpqyz6e47uxj54nsyjhwxb7chldgvmtng6dlwnr6f2pa._file

Verdict:

malicious

Label(s):

formbook

Formbook

7ff09715ea3fa12705da00d500b72329217b7d82cae0c59aefa0ebbf3724a36d

Formbook

8bb4dbfeb12ea6c27f6a4bf9ba8188cc231208519e0d7c42bb48c1d75062c76d

Formbook

8e8dd0e9d0adac40a526531b51e77cd939d0d15f7d93fc6394d58d503b8ef8de

Formbook

9dea27ca0e29fd1b414242802ccc3801451b183af6a753bcc83d84bb0827b08d

Formbook

c76519bac4cff0206fbdd13fd4f016b7d7fe3607fd0c4b25dde7155765a9b2ae

Formbook

d13d4b6f1f4dc4f66b7a93d72eba7dd5051164277a40e3776a70298ac7cd54dd

Formbook

fabfc52b4f6d55fee942c164fed13e4d2b2654cafeff471a52e13c31384c19ce

Formbook

fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534

Formbook

+ 3'377 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230719-p48ghaff9y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Unpacked files

SH256 hash:

62bab32d7b538d8cc349c517df2686e3e7d245d9d3c69f6a0694f528f51c0db3

MD5 hash:

94e2e2b0d7ef39d0ce9296beb009a86d

SHA1 hash:

de83323cf051059348ce1591d45ab6ef8829a0be

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

Parent samples :

19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

SH256 hash:

8ffd5e196aeab8c63166a7df6c664d680bb5084725887786641dfee2f3b8e1a8

MD5 hash:

079693d4675ed68b3dcab62298671662

SHA1 hash:

1590e1ddb774bc7e0b6d2b3ff1c0bee2005d1f1a

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

SH256 hash:

45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c

MD5 hash:

ca775551666be768a9241f43eec98b87

SHA1 hash:

fbbd937067a24c48ee5274d3fa2881a991e64f3c

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

SH256 hash:

4d5a8200d0c7378760bc0f8e35eb5fc803e875ada2d74bdf8021a3fa7b824bcc

MD5 hash:

6ae50def8b9227f59d09e604d56ea338

SHA1 hash:

bdb83c859d6894c876ce0a25df3cf82e61bfd6e4

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

SH256 hash:

6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

MD5 hash:

14cadcc54906e374d407e8abfd758141

SHA1 hash:

e48553919d40d953b7e4c98abce999bc8f2ced51

Link:

https://www.unpac.me/results/1083bd5d-1623-4a59-aeab-a5912c5e9c93/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6c1f6a504cb3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 6c1f6a504cb3e18cf89cfd2e9ef1b2c24f6b87e23ac66ab26d3786bb363e2e9e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/424884/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample