MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a
SHA3-384 hash: 8030934769936a2eccc2528b698695638cedf3168a9f77402b6203d94a26fe7321fdd0cac26ca7d7de087562a6ad0db1
SHA1 hash: 6cd27c98ad2caa6646ba581e239c5710fa922098
MD5 hash: e2453e99719edba335e24890315924e0
humanhash: friend-butter-fifteen-utah
File name:rszl23077773.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:636'416 bytes
First seen:2023-09-22 01:26:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Gz52iNzEisUH/wpyJX5Xz02qiLYHho+RNffsvaQQIk8xZpYHmgyATi3yfzL:c51hEWI8JXVfJSLnbWkC0HWATiCfz
Threatray 108 similar samples on MalwareBazaar
TLSH T1AAD4235A53682720DA6EDBF826667620337DC42B1013FB4EACD530EB59A77820D217F7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
rszl23077773.exe
Verdict:
Malicious activity
Analysis date:
2023-09-22 09:19:50 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/1def4247-7d57-46cf-9033-0e582109cdd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450529/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650ced6732ffdb7a7a0f455c/reports/0cbc6ee2-3022-4fa7-b2f2-526e138fe4e1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72681b7a-b641-488c-aa75-46c21e4d001e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312703
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Deletes itself after installation
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1312703 Sample: rszl23077773.exe Startdate: 22/09/2023 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 4 other signatures 2->43 9 rszl23077773.exe 3 2->9         started        process3 signatures4 55 Injects a PE file into a foreign processes 9->55 12 rszl23077773.exe 9->12         started        15 rszl23077773.exe 9->15         started        process5 signatures6 57 Maps a DLL or memory area into another process 12->57 59 Queues an APC in another process (thread injection) 12->59 17 ytQmDJvGtzEZxOrGXdEIWgdaoM.exe 12->17 injected process7 signatures8 35 Injects code into the Windows Explorer (explorer.exe) 17->35 20 explorer.exe 13 17->20         started        process9 signatures10 45 Tries to steal Mail credentials (via file / registry access) 20->45 47 Tries to harvest and steal browser information (history, passwords, etc) 20->47 49 Deletes itself after installation 20->49 51 2 other signatures 20->51 23 explorer.exe 2 1 20->23 injected 27 ytQmDJvGtzEZxOrGXdEIWgdaoM.exe 20->27 injected process11 dnsIp12 29 www.coolgirls.space 91.206.201.91, 49767, 49768, 49769 UKRAINE-ASUA Ukraine 23->29 31 www.potent-tech.com 119.28.69.86, 49739, 49740, 49741 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 23->31 33 13 other IPs or domains 23->33 53 System process connects to network (likely due to code injection or exploit) 23->53 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 16:38:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3qbrwmf7qkjfjrdzgp73tjzy5ukbtpls5oxshv5hiodol7sckfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cc4308eaf906783b45db5c75d2bf7e5a0b74d9d531dcce595604c1f436d4fb4
Formbook
4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1
Formbook
5aff1db8f4c749933cd8869e1e80f000e4c27de7c0c7a7d1aa59c4f324522210
Formbook
6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
Formbook
9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45
Formbook
b842e2fd60338a5a60a60ca5e4ec84be149b7a15c7840e93c2e22ac03843701a
Formbook
c1d19cee2a05f48cedd6f1f7aa6eec9e27c00cedb7135d0187200b030b302c6d
Formbook
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230922-bt375sbd8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
043961098da7adb01104bfe078e0a9ba8ef1581c08c182bda7dbe321f9a2cbe8
MD5 hash:
70898a3cb1089c9bfead550b36b55d88
SHA1 hash:
9deebc8dad032b8c062744e0cc7f211d390c7c5d
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
Parent samples :
5aff1db8f4c749933cd8869e1e80f000e4c27de7c0c7a7d1aa59c4f324522210
6eeeec436d7abca44202ca9e5f3e20d2bc6a7f4adaf240e1ba5ab41e94890c29
8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a
8f939a17b7cce53784b111ad018d932191e79305b5ae129347503b238f2274f7
afbcc4589635ef9e83579c9865d99e7b454f827e5ae02b8248db0fc73d9553c4
SH256 hash:
eb3c14db4a7fe19d173136aed70921e64e0f45381a556f0f87ecb0f4f9ce8a8e
MD5 hash:
f95951ec1268bf89deb167d4ad8074c8
SHA1 hash:
f63707eea9536bddd0abb93683342b53c1e850a4
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
SH256 hash:
895fd74853f6ff271656c5e612bd4518f5ff1ae402c41324d0616b9b655a13e4
MD5 hash:
eb2cf063cc0e02e4fa500a3a3c817478
SHA1 hash:
e475321d4fe9e88e70689cbf97222e266c5b317b
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
SH256 hash:
a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d
MD5 hash:
200ab8e098a1e41ca357d3cdcfab4bdf
SHA1 hash:
dc2a6966c9b964286e41d8cc77d57bc5e41ed216
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
SH256 hash:
f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb
MD5 hash:
65d61d54ea7665a497fed9699cc9e7e5
SHA1 hash:
8418bb9f902beac21267a1a60ac8431a4179defc
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
SH256 hash:
8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a
MD5 hash:
e2453e99719edba335e24890315924e0
SHA1 hash:
6cd27c98ad2caa6646ba581e239c5710fa922098
Link:
https://www.unpac.me/results/3203fe08-fa65-4177-ae3e-bee8c5acf105/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8ee018d985fc1492a623c99ffdcd39c768a0cdeb975d791ebd3a1c372ff2128a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450529/

Comments