MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
SHA3-384 hash: f0482a68a37450009df46646fe79d8253ce44a2688e2df79f8b3ea976c4920147e2746dc120618060832307ba47ad7ad
SHA1 hash: 13e3682d381e8cb71f8058fd81aff5485323dfe6
MD5 hash: 745187a622580b5979668fabc06e0fe4
humanhash: echo-echo-alpha-paris
File name:SOA END OF JULY 2023_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:282'687 bytes
First seen:2023-08-15 12:13:55 UTC
Last seen:2023-08-17 05:42:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6odIYezviKrAKJMIVwPeWU9T5CTlFH/MdsiFR:PYedIY+jAyMKCeWUqTlFfM57
Threatray 3'522 similar samples on MalwareBazaar
TLSH T1C854125643C5C07FF8636EF26C73668B2EF65B0601788A0F1B1073997672646FA2E312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA END OF JULY 2023_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-15 12:14:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcc337eb-6bd1-4210-9e3e-eb056f24a987

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442765/
Detection(s):
Sanesecurity.Rogue.0hr.20230815-1238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102875/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6a7e5c2-ed7b-4617-98cb-f694f2caf1cc
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291380
Signature
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 10:05:30 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q37hspoxr7s3r6ane4n22t2xiv3selivb6q5efix6jvmrn3rso7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
229acb9011d2cf600c9112b5f7d19cba56d9bf5ecc20880a6c760e10f685b244
Formbook
3276e7ff57ccbea104651066c1d45301d52fbfce23d0d48f5238d82a51abd852
Formbook
3931d6780f87facdf721f6e730ec38738afe7bb5378247824a1374802e2d04af
Formbook
751979a730418403c73ea0e14c8ad5d77d4fd95de07a9cc24aa3ca21650ee1e6
Formbook
93512f8df3b84088ddebeaa216201bfc2a2e9d68ded4133a9ef94fc5f154b229
Formbook
b0302231ae277b08e383cef527b093307edf552a1777b5c9a088e2e1c61ad6fe
Formbook
c22f7e6ed2e27a1863b7bf519f4254afafeffc69cadbee3ff2eadd3b3ed36492
Formbook
ea2ae64afb2fe6c21176ec595cc4036a184e16c700c312aa8efa4280ab27c2c3
Formbook
f4afad610ada8c98e0e1bf3907d6ae1b3ffe56d2060df106d9336aac195a5e31
Formbook
+ 3'512 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230815-pebq8saf32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
c2b15e074a90db6016d66d32343ffaab5191894ddf9401a3e40a55f0f959e3d4
MD5 hash:
31d8bc53323b55c07e4b48af3bb436c3
SHA1 hash:
6e43dfae02e870089ecf30c1dd6cef9975cb07ec
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3dcfc7a6-5c89-4b12-aa68-1e922ecf2896/
Parent samples :
93512f8df3b84088ddebeaa216201bfc2a2e9d68ded4133a9ef94fc5f154b229
86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
1b7d0e37b2c2465020c57cb6ca8b3d15546b862cef6a06fb2d4c6aa5d94263b0
032948bc1f91de998ac96af702ec58223c3b15d653b9fa7778163dd5b120b5d6
2c6b67cc0adc1f6ca39dbffcce72276296faae3feffecee9051846ab5fc34b05
SH256 hash:
86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
MD5 hash:
745187a622580b5979668fabc06e0fe4
SHA1 hash:
13e3682d381e8cb71f8058fd81aff5485323dfe6
Link:
https://www.unpac.me/results/3dcfc7a6-5c89-4b12-aa68-1e922ecf2896/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c

Formbook

Executable exe 86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442765/
  
Dropped by
SHA256 208e88702493ec9c59ef7f4f052adfb7300533bf3913fb66fd0711516786725c
  
Dropped by
MD5 dcd2de08ed1e1a568fc3fc7dbbc7aca2

Comments