MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d
SHA3-384 hash: ae5444d8acc20fbd76e208fbadc560891145aa550b077d53804b5658a0ece70ef377fad26987e7fb250ad94486ab05de
SHA1 hash: 468d6112130fc9b58092db88611d2ad53cb33a06
MD5 hash: c47a7fef0ab6068c68877022965dc13d
humanhash: ten-sixteen-december-london
File name:emsO.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:905'736 bytes
First seen:2024-05-13 16:47:55 UTC
Last seen:2024-05-13 17:19:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:fChkTeH81jJUS5ZsNXTkuF/bbXEQoR1aWX9MbGU6qG/ux5VWYcvyE1tHiwSQYiMo:I8MS5ETzbb6trU6x/ux5VWYcj3
Threatray 162 similar samples on MalwareBazaar
TLSH T14B15AE9C362076EFC967C972DAA81C64EA6074BB430BD203A01715EDEA4DA97CF145F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter smica83
Tags:exe FormBook HUN

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-13 16:49:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/425f324d-85aa-4f1f-84fa-599b842f5779

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8645.16979.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/641982ca-16e8-4934-8234-aad1fc0784ac
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1440712
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440712 Sample: emsO.exe Startdate: 13/05/2024 Architecture: WINDOWS Score: 100 31 www.quantumboulevard.xyz 2->31 33 www.trustwaletapp.com 2->33 35 16 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 47 7 other signatures 2->47 10 emsO.exe 3 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Detected unpacking (changes PE section rights) 10->57 59 Detected unpacking (overwrites its own PE header) 10->59 61 Injects a PE file into a foreign processes 10->61 13 emsO.exe 10->13         started        process6 signatures7 63 Maps a DLL or memory area into another process 13->63 16 EBuIsUsJHAd.exe 13->16 injected process8 dnsIp9 25 www.gattosat.icu 109.123.121.243, 49745, 49746, 49747 UK2NET-ASGB United Kingdom 16->25 27 www.quantumboulevard.xyz 66.29.135.159, 49753, 49754, 49755 ADVANTAGECOMUS United States 16->27 29 10 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 unlodctr.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 Maps a DLL or memory area into another process 20->55 23 firefox.exe 20->23         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-05-13 08:42:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmpsyt477xgyu4ypokv5dofcu4lo33it54zyo3ww64cnbebham6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b
Formbook
0cc54ffd005b4d3d048e72f6d66bcc1ac5a7a511ab9ecf59dc1d2ece72c69e85
Formbook
389def5368cc545926f364b380b16504eee871fe108ce92e4b65011182929c25
Formbook
71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
Formbook
98a9021f55ec887a271dd6b5bef911bdbf09514530db7abdb887d5282aaf7631
Formbook
a69420b181a6704cdf507e6ba6f725060fc4eca42794aca6a3719af43bc33560
Formbook
ddbc4908272a1d0f339b58627a6795a7daff257470741474cc9203b9a9a56cd6
Formbook
fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7
Formbook
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240513-va38ksfd69/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
28e4fc5c7e927268f9e8f1a005567cc06a0da2c37607d2a9e829a225770f68a5
MD5 hash:
c33d502b9e37197d219811894e43d763
SHA1 hash:
9d33fcd2ee4c6c0f6517b0180ae6717fa4edd630
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
bc8542b7bbbfdb4f7b37497593bbc39835e5fc12341b581c37377b8241d83f18
MD5 hash:
abab05ee1cf56e3127913e9b2eb91d38
SHA1 hash:
e1348c71b67779558f53ab5988af5440a3ec72bf
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
39040b42a341b87438ecad5a7f58e3640b658e981afc374a9389b76b739b6320
MD5 hash:
b5a61ec8c8dd62e695509de822082efc
SHA1 hash:
a1d2470c1b8c5a866cf66fefb20bdbf363cc2965
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
fd3f1f3f0c984361bb23b2f6ba22a4bbd636095bf6e9d0c31d77b5ccfceed307
MD5 hash:
1e504d0d93436a776666cc8236d65844
SHA1 hash:
834490f9be03a0814c6460f5aae33af12e83b8f5
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
72df8e0fc3a74601e09c3d969a379fe4287f01220fd61cc8c0d8fed0c248bf05
MD5 hash:
dcd4405f3e77c76911d56aa23c4ed312
SHA1 hash:
02f5243294a92c84ee914d32176396bb2287e55a
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
8213a6a34c36db37675298dcbbbb36451ddf233c1af7e8783be225d3e4c08271
MD5 hash:
a2f5dafc17432fdea2f85c9c972167ca
SHA1 hash:
004139faa5268e3fd9fcc92710d0e331d32a2d7b
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
SH256 hash:
831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d
MD5 hash:
c47a7fef0ab6068c68877022965dc13d
SHA1 hash:
468d6112130fc9b58092db88611d2ad53cb33a06
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/3c4f4a6d-48b9-411c-86b7-8bb16c8a006a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/831f2c4f9ffd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/831f2c4f9ffdcd8a730f72abd1b8a2a716eded13ef33876ed6f704d09027033d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments