MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf
SHA3-384 hash: b1d1294995cc017fde2fd814f55982509b538b173ebfe67a98840595c50e396490f8d101e90af936ed04954939710b2a
SHA1 hash: 2c02c95101b2bf7691b5f9b229011a4121371acc
MD5 hash: 844bd5e1bd887e5c4688dde5dd175cdb
humanhash: glucose-fix-triple-maryland
File name:___-0000000183.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:962'056 bytes
First seen:2024-10-11 12:16:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'656 x AgentTesla, 19'465 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:R08rHr14QvdrBq5POF4zzVjORVMjLMD3Qg2zsAoYgnuh1lw1afNbrxxTwcNiUkR:r3ddOgRVgAPww09r8giT
Threatray 15 similar samples on MalwareBazaar
TLSH T1B325E11463A88F05E4BA47F44634E27457B53D9AB42AE34A0EC57CEB3EB37024F46A07
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter NDA0E
Tags:exe FakePDF FormBook geo GRC

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
___-0000000183.pdf.exe
Verdict:
No threats detected
Analysis date:
2024-10-11 12:24:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1b56f07-00ff-45d5-872a-b470a044c655

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.22857.599.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67091741385c9c6f6abe43cd
Tags:
underscore injection exploit obfusc
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade overlay packed signed
Link:
https://www.filescan.io/uploads/670917451380228337571289/reports/98d01c5e-edaf-4c4e-b08a-241477aa7ace/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13ed0f69-2a45-48d1-8087-0d05393a3318
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1531639
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 12:17:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohes7aclkbkq3rpe34y4cewlt7aewbulffoszp54zqkpdba5g27q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
619285b6785160f940543292ef2bfdd914a99ad87e0a2472e64ff18c78677047
Formbook
71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf
Formbook
7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8
Formbook
9c7f3b0ad579745da0d9a082db66d3ea404e30de5fcf5da6cfb9108abe55d78c
Formbook
cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
Formbook
error
Formbook
f30297ce3c8bc97f49286ee0c14b241d6653a2e992de11213aa25a296ab485cd
Formbook
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241011-pf3aks1gqf/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/71391aae-33f2-432e-9120-57ca566f7975
Unpacked files
SH256 hash:
4e9038f22568e5a2908b9bb91d95b6dbb3bc5b6d06ffcc09b48af1a5e4e7eb22
MD5 hash:
49c40525c49a15e712573ae93dfbebc9
SHA1 hash:
c68b9c7fccaf609b11b9f67b7111134a5ab7e22c
Link:
https://www.unpac.me/results/1658137b-d35c-4d2e-8a72-47960acd6437/
SH256 hash:
fc45bc5328ca936c194bea939abea09aaed4394bd249f16c5bde729769e71ed3
MD5 hash:
799d6b3249ac8f97ab8634c2aacf1dd6
SHA1 hash:
9fce1497978f06172bdc06f958a813c4224d437d
Link:
https://www.unpac.me/results/1658137b-d35c-4d2e-8a72-47960acd6437/
SH256 hash:
003c150e1f8b2e4c8688cffcc0e6070681951b17bc68c28bc7dfe210a48398ea
MD5 hash:
65adde7d5dfbeca4cac9977b56481903
SHA1 hash:
aab4222a8b19c9f7fd8aa5cd7e0dea8d0b0b7daf
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1658137b-d35c-4d2e-8a72-47960acd6437/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/1658137b-d35c-4d2e-8a72-47960acd6437/
SH256 hash:
71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf
MD5 hash:
844bd5e1bd887e5c4688dde5dd175cdb
SHA1 hash:
2c02c95101b2bf7691b5f9b229011a4121371acc
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/1658137b-d35c-4d2e-8a72-47960acd6437/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 7951a71c3d79cf0fb4e49c081f0a62c0b6fab2d26ab045a782f278d4826c1b7b

Formbook

Executable exe 71c92f804b50550dc5e4df31c112cb9fc04b068b295d2cbfbccc14f1841d36bf

(this sample)

  
Dropped by
SHA256 7951a71c3d79cf0fb4e49c081f0a62c0b6fab2d26ab045a782f278d4826c1b7b
  
Dropped by
MD5 741cf68a75f90c5cfc372f65a591d75a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments