MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd
SHA3-384 hash: b95f427492d75e14f0388d177734c9853344a51d21ce3997adc837dd3649cd5bb9dfc65bc5c4d6d009ba4b4690805898
SHA1 hash: 20cc37a6bc602097bad9a29a523562ba62388195
MD5 hash: 5122c5e52b4b71eb8e21fa425e035a62
humanhash: nine-cardinal-nineteen-alpha
File name:PI.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:261'158 bytes
First seen:2023-07-18 06:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:vYa6b5O3+jM5UngXVSfEmeC0GAUcdKobiN2esZmG77Yib:vYJE3+AGngSZPcEobc6ZmoHb
Threatray 3'257 similar samples on MalwareBazaar
TLSH T1754412486FF1C0B7D1E147333F7597D69BB9AA1234A0670B23905B8CB826261ED4F762
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-18 06:22:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6073c28-960c-4b8d-a05f-3a5ce28b21c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423220/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.3368.2982.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b62edf91e7270521ea76d6/reports/aa454962-c553-4699-83de-ea4d1e55621f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/341db1ad-8553-44f9-b0be-f1e489ecd058
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274874
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 08:41:53 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rehr5jpq5bx5dahuoz5vfjznqhk7mellkrmdr4ikhsx6sm3zyp6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02ffa3a8856091ec637bfe8f4155eb49d3ede06df0cf2e83b828f5b27c983627
Formbook
38c1c1705e3b01c99f4767d19065cbd50ccae650ef3f4ee03c8327a1a33db868
Formbook
3b2cdea86106106bf0ec55e86a4b2e4a6beaf5fda5597c774f4b6de99a0cb08f
Formbook
3d1445e540b8f4dfee869812cde4bf208bdfc2a28a510336924c860868c07c25
Formbook
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
Formbook
8bb4dbfeb12ea6c27f6a4bf9ba8188cc231208519e0d7c42bb48c1d75062c76d
Formbook
a8f5392112f282b9d32749631c3d85fc6b568dd0b3fe91ffb8c5c7215e3f7114
Formbook
de30e038eaa635585c23ec16221f9307e49152fe0d42d6f49a9435beb42f1f9f
Formbook
ebc47d50c4ca732ef1da156f4284c35025bcbee243a8c5e022f3d1ffd1b50895
Formbook
f3a16fbf76dc776eb61b55b5a5aa8d3203e77effc2e05d85f93df96612323095
Formbook
+ 3'247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-g267nahd4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
476d0465af12bb262b716784b706618d03ba3937a814b64b7f8d060fe6ff1ec9
MD5 hash:
4ef64a9af9efda6cac42134e14e174b4
SHA1 hash:
eea334e7c1be5458c4cece4a984a969c8add1bbe
Link:
https://www.unpac.me/results/10d64fe8-41cb-4e75-bbed-4b48e55a929e/
SH256 hash:
8a219bc484549496821004daa2e88653bea7c53b922db244bf4116ce19ff0e07
MD5 hash:
5606680621c2701b5d9ecc3c6c7ab205
SHA1 hash:
cbc9a43573bb4238ded06073ed59ab183b6fcdd8
Link:
https://www.unpac.me/results/10d64fe8-41cb-4e75-bbed-4b48e55a929e/
SH256 hash:
7cbe11f2afbfa1f0531894a4220601907cd12d18754388825744435cc8e01e6a
MD5 hash:
f4d1f7751869971d4d67ae5d603513e5
SHA1 hash:
ec037f3e233fda597eb48ad001298e7b28b1e398
Link:
https://www.unpac.me/results/10d64fe8-41cb-4e75-bbed-4b48e55a929e/
SH256 hash:
890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd
MD5 hash:
5122c5e52b4b71eb8e21fa425e035a62
SHA1 hash:
20cc37a6bc602097bad9a29a523562ba62388195
Link:
https://www.unpac.me/results/10d64fe8-41cb-4e75-bbed-4b48e55a929e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/890f1ea5f0e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 8007357fa8b52a81e6214a0fd1e138a9cf6d9799fbf599fe7e0776c8fa9b70cd

Formbook

Executable exe 890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8007357fa8b52a81e6214a0fd1e138a9cf6d9799fbf599fe7e0776c8fa9b70cd
Cape
Cape
https://www.capesandbox.com/analysis/423220/
  
Dropped by
MD5 90f426d0949aebe925d9f9fc922e2546

Comments