MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21
SHA3-384 hash: 9cc84025f64106e7acb9e34b03e1d00658d9305b0162a266df12ac159fb69aa5976b6449b74dd22ee3724dd502236077
SHA1 hash: 564865fd0f83e6ce9a381533b8b25d3319a72d8c
MD5 hash: 63f40d622bc5260f646a134e492d59a7
humanhash: apart-blossom-nitrogen-skylark
File name:REVISED FREIGHT INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:656'896 bytes
First seen:2023-08-29 08:36:14 UTC
Last seen:2023-09-04 06:04:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:BCiWJp09gXP7nmx4s+tCns5cdc/TZgFhjC4Wu/XSY/nG:BCiF9Oni4tN5ckgFh+3Ngn
Threatray 340 similar samples on MalwareBazaar
TLSH T119D40217FA01EFB9C03A87F57C55E5000660DE6E5860E78899AB37E26C72B13907DB1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REVISED FREIGHT INVOICE.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-29 09:45:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a842529e-e614-4a87-ab10-c220a319afaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445043/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64edae358d6d59beeee4e6cc/reports/d7b3cabb-89c7-4339-89ee-52be9c172030/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f43d61cb-fc6e-4468-a7ed-35ff4b816202
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299401
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1299401 Sample: REVISED_FREIGHT_INVOICE.exe Startdate: 29/08/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 7 other signatures 2->48 9 REVISED_FREIGHT_INVOICE.exe 3 2->9         started        process3 signatures4 52 Injects a PE file into a foreign processes 9->52 12 REVISED_FREIGHT_INVOICE.exe 9->12         started        process5 signatures6 54 Maps a DLL or memory area into another process 12->54 56 Queues an APC in another process (thread injection) 12->56 15 TeVXhZDHXIKJYUcdsCZtfDJw.exe 12->15 injected process7 process8 17 cmmon32.exe 13 15->17         started        20 autofmt.exe 15->20         started        signatures9 34 Tries to steal Mail credentials (via file / registry access) 17->34 36 Tries to harvest and steal browser information (history, passwords, etc) 17->36 38 Deletes itself after installation 17->38 40 2 other signatures 17->40 22 explorer.exe 1 1 17->22 injected 26 TeVXhZDHXIKJYUcdsCZtfDJw.exe 17->26 injected process10 dnsIp11 28 www.jgsos.life 91.195.240.123, 49742, 49743, 49744 SEDO-ASDE Germany 22->28 30 www.qooski.top 154.91.230.151, 49741, 80 ITACE-AS-APItaceInternationalLimitedHK Seychelles 22->30 32 www.prostoptowing.com 35.212.127.164, 49747, 49748, 49749 GOOGLE-2US United States 22->32 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 05:40:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrnnyjhdenpl4qo5bv7yyoyejjoeqxujv5fnwycajrfmsfo4vuqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15ba4f63fe43c578c10edea51d3a521efb953302d78621b92ca65e699b921dad
Formbook
35a55c6bd2bf598a39c37fed70a97774510187ce41589c497ca97e8f9b171d4d
Formbook
54b996853292264a07243297709446507d0a2ca2c02f2d210d13958cdbbbbb03
Formbook
57a70c86b99cac6435ffc0fc3c93957ece656f9d92061a4ad7e06c531c0bbb4f
Formbook
61581b67f22c8a59d322641223d954d5dc5ff4d710241fa0b459037648038cdf
Formbook
710fa86210820e8990d72fde020d01022c213ef03c036d1ed1ce96e8a07eb9ce
Formbook
7814c75c9ddfebea34123a885417c971802505f045ed5c0103a9762b83200656
Formbook
9f3154e4f37ebd257119f4ae53522594b9d9f8cea1688472dd60fd14a4016fe6
Formbook
bf6e98c839e903874bf78b089e4936b4294747664464be6be434dbb54ef85c08
Formbook
e360dcf6f40f9eb2ae5ceb98825ca3c8942fe935463594cfcf9c29ccd7f28707
Formbook
+ 330 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230829-khvw3aed4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e07852e774f45e8284b464dd9007ca20844f61b3641e44ec967aa68b28c7e20f
MD5 hash:
b913ca4a45d5c8bb213432f9535490b5
SHA1 hash:
2dcee402c4e628398112046a8617d7bc25a68125
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
Parent samples :
7767d8ab0cab91977e3ba3fb74784b15699c62acd71f0e3cf80d7528c6b837d4
845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21
SH256 hash:
1f93d01c8db4bce0e85591df5ba075114c232c4b5df1bab6aae20a0bac1530ae
MD5 hash:
6e961dcabd9832a4ecd53335036bf15a
SHA1 hash:
23d8db01af2284e838e459635836c772345f9ec1
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
SH256 hash:
5a767c7d641367c8d1a09a734133864f6da2c4a18fcc8df1f3711d1dc594d3ee
MD5 hash:
3330807523ed64bf51776519b31bd306
SHA1 hash:
c3b82c017a2a2954371900c0d6bc7c5ede64aa7d
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
SH256 hash:
0fe2af939fae802fcedf94ddb7acf6254e590010a79aff06532578d3fcaed21e
MD5 hash:
a06fbdc5e3a3637536007b99e28d5304
SHA1 hash:
478edda6ab87ada0a127a142be816e2a8cfaa19f
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
SH256 hash:
598a766b26fc39c1092e2f20cee1f42df6d6049d618ac5d4d331c646ab6a8b47
MD5 hash:
00c960e10d544bd0961a993c3c6dbbe5
SHA1 hash:
04018db21d1b12800f1bc413b90ccb3264955bcb
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
SH256 hash:
845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21
MD5 hash:
63f40d622bc5260f646a134e492d59a7
SHA1 hash:
564865fd0f83e6ce9a381533b8b25d3319a72d8c
Link:
https://www.unpac.me/results/cdf9f313-2e8e-4717-a618-63efac848af8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 845adc24e3235ebe41dd0d7f8c3b044a5c485e89af4adb60404c4ac915dcad21

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445043/

Comments