MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448
SHA3-384 hash:	aafa7a82512bb1ab36cf33a6b7c35d11aa33cb65d64cdef4adabf9d1fc0b4d0ea2c80b746e1fb3177c8bd7a0646e2a2a
SHA1 hash:	64248f20389e63596d42175d94feb8db12cefc13
MD5 hash:	58baac8dd36307b4d5969cf39b1447b0
humanhash:	steak-north-orange-football
File name:	Shipment Deatails BL and INV222010736.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	220'114 bytes
First seen:	2022-10-27 20:33:52 UTC
Last seen:	2022-10-31 10:56:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:qweEpo6qhTAdITq5XJeSNeuk9Q39Vs9VJu7T:b0FAdITMJlAuAQM9S
TLSH	T1AE241222B5D498F7E92203B259B79BB4D9F3A41C5921A50B47B41F772C383C3EE0A41B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/325137/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46109/overview

Behaviour

MalwareBazaar

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f823415-6d75-43e9-b0b0-d38e45c9a099

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099791

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-27 00:11:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 40 (57.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p2d3ds6c2ixgswl5gfj7lin2gzcihpyg7ctvlujnlnlepgy34rea._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:sm28 rat spyware stealer trojan

Link:

https://tria.ge/reports/221027-zcep8adefj/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Unpacked files

SH256 hash:

2fdd6ff01e0510b68ded98354b54dc261f7a21df02c1b2566a5cfe02fd57fc67

MD5 hash:

217d326220db7d5985bfd6c29c71a4b2

SHA1 hash:

14f213c49a9b90bf83649861e6dd64a88382bf17

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/cb6cf947-cf0d-474e-bc86-fc5bd2a6906f/

Parent samples :

b1bc91086e6fe98ad32079eec01e28b01ae0706d513bf494bd321aaf22e641ec
6a25620e3223325004b6ef5a32d4961f95f8a6065379fac3fb10ee08bcb43bb5
1de28d05855c0573467c86248a08059df01ee919d7dc019ac94318b470bac444
0673e3ccaf8f4bc60b304e94d608fb1511d2ea7644c672563b6a81b5c3338c19
7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448

SH256 hash:

ecdc3c99f6b835190809b64d576fc17a5ad5fd75889a06bf8c3eac53b96fd90b

MD5 hash:

3f4db714b48655fa875b2b96b99d787d

SHA1 hash:

13818202ad095ff09a24de6d8a54dbf2e5bf26d2

Link:

https://www.unpac.me/results/cb6cf947-cf0d-474e-bc86-fc5bd2a6906f/

SH256 hash:

7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448

MD5 hash:

58baac8dd36307b4d5969cf39b1447b0

SHA1 hash:

64248f20389e63596d42175d94feb8db12cefc13

Link:

https://www.unpac.me/results/cb6cf947-cf0d-474e-bc86-fc5bd2a6906f/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7e87b1cbc2d2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/7e87b1cbc2d22e69597d3153f5a1ba364483bf06f8a755d12d5b56479b1be448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.