MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e
SHA3-384 hash: 4a2ba2babfdcdb466d2e6c579caae8d441b6f7721ec5309b2be3bf9131c797dc1fe37b054cb4adcda3ca64a7568396cf
SHA1 hash: 769f7c16b83a34ffa53d0bfa4b7addc21666e2e4
MD5 hash: e6e24d5bcc8fdc2ab0c1784b4b350504
humanhash: blossom-muppet-venus-seven
File name:AZIN FELEZ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:269'528 bytes
First seen:2023-05-19 00:03:31 UTC
Last seen:2023-05-20 14:52:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:wYa6HENKgtiUlEUMjSZBQcm6tNFIATsXNYhKp4TyADNiHkEgq4ECYvKoQ:wY96ZRBQcm+1e+VfNiH//CUKX
Threatray 2'865 similar samples on MalwareBazaar
TLSH T12D4402842FAC8237E42246309772CA899EF45D3A595853875714FF2EADF27C18A0F327
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AZIN FELEZ.exe
Verdict:
No threats detected
Analysis date:
2023-05-19 00:05:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2109191-1379-49b4-97b1-cce1120a0ca8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67069810.30870.32547.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/85576/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6466bcf3a9714de16b6cbf10/reports/42928a64-c107-4e8d-926f-e115ec9fb800/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/065e21e7-1b22-437c-ab56-d8e0b94c7830
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1236551
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e/
Threat name:
Win32.Trojan.GenShell
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 00:04:46 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rue6ggr52opbv35hnj4io3hhyorlx2inyagp6jihcbjrcfnuxcha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43
Formbook
3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b
Formbook
43e743e060255d4a878a5fd14de21a97ae1fe045cd55dece4a9f1cd1857ee559
Formbook
60fe13a26cde812037097d97acc94f5ab707e86e09744fad56f07afd324401bf
Formbook
86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54
Formbook
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e
Formbook
c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f
Formbook
d1e4cc2b2df4de229947e033f6dd65379db0d12d92ec7de9ffcc8336c1c55e9a
Formbook
d2e78fc6d48b4936070f2c8dccfd55a3619e8116964887f723963405e78f2320
Formbook
e14890d40be2216c014475cac45debe0d23a1e6eb333908c814034b1df73b73d
Formbook
+ 2'855 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230519-aclq4aeb92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e
MD5 hash:
e6e24d5bcc8fdc2ab0c1784b4b350504
SHA1 hash:
769f7c16b83a34ffa53d0bfa4b7addc21666e2e4
Link:
https://www.unpac.me/results/e38ebf73-3553-4ffe-a10d-c048ef734460/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d09e31a3dd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments