MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94
SHA3-384 hash:	e440dda4ddfde5f1b122b47f40af9a295d9be9f4ecaaaaf391d304c8d06432e6363c44ad9216635bc63137dc333461d2
SHA1 hash:	291ab6d36c851cbb00d2c344c10abaea8c4f22c0
MD5 hash:	cc42d6edd3fc5e953bcf59b67c31faed
humanhash:	alanine-butter-winter-oxygen
File name:	SecuriteInfo.com.Win32.MalwareX-gen.26512.27594
Download:	download sample
Signature	Formbook Create hunting rule
File size:	663'560 bytes
First seen:	2024-10-08 10:32:00 UTC
Last seen:	2025-01-10 14:07:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:QnCkUsRlS2acxpYc9UeeXBeU8ni8nkZsqgElVRkycQqWy+SkcmEaglKkR:GFec7YcTFi4qhlWWy+ScEaq
TLSH	T179E4025C1744D603C959ABB41AB1F1B42B795EDEB501E307AFEC6CEFB5AAB108C04293
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

410

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.26512.27594

Verdict:

No threats detected

Analysis date:

2024-10-08 11:03:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a80a6554-9473-4133-94cc-3b5761127408

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.26512.27594.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67050a23dcb599bb05a4fb7f

Tags:

Powershell Kryptik Exploit Msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature overlay packed signed

Link:

https://www.filescan.io/uploads/67050a2835b81f79905efac7/reports/d87c693b-d117-40fa-bd6a-e95b3da69f07/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/950ff2ae-02ec-43ac-8128-d1d0360c1369

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1528900

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-10-08 10:32:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pcz6cdzvlxukpaggttdcfxj3yuutmx7v7ikb5murcexopmxpfkka._file

Verdict:

malicious

Label(s):

unknown_loader_037

formbook

Similar samples:

error

Formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:t94g discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/241008-mkyf3ssgqr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Verdict:

Malicious

Tags:

formbook

YARA:

n/a

Link:

https://app.threat.zone/submission/975a494f-c28e-4eed-8ff7-5c9c37425106

Unpacked files

SH256 hash:

3eead0098cefd1ca92f5c18180e0ff8d702f2b462e585c1d04fd1f5f78d6ffbb

MD5 hash:

4471b83e01b0830b61c045fdb78b7bee

SHA1 hash:

801e7a49d556065666f6f72359b8032a5793f923

Detections:

FormBook

win_formbook_g0

win_formbook_auto

win_formbook_w0

Formbook

Link:

https://www.unpac.me/results/a53d4879-493e-47e7-b718-c0117dcd1277/

Parent samples :

8762ea652c974bb0aa9bdf338ed57d46c251f72f5f1f4a5bf4d40c9961d8e2ee
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16

SH256 hash:

abe8a5f1378d7963b2646d048e95ac32d82c6c0c01d397728716cc5c1755817f

MD5 hash:

b6bfcf18933f05d581dc6d6a9f619949

SHA1 hash:

0503372815361adf363c4d6df16fdbe858f9e45f

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a53d4879-493e-47e7-b718-c0117dcd1277/

SH256 hash:

682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab

MD5 hash:

5a6cead6de3340dd9e0b16d599e5d1f5

SHA1 hash:

00e25f93284ff0d2493c6df3a596891d0848399e

Link:

https://www.unpac.me/results/a53d4879-493e-47e7-b718-c0117dcd1277/

SH256 hash:

78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94

MD5 hash:

cc42d6edd3fc5e953bcf59b67c31faed

SHA1 hash:

291ab6d36c851cbb00d2c344c10abaea8c4f22c0

Link:

https://www.unpac.me/results/a53d4879-493e-47e7-b718-c0117dcd1277/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample