MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1
SHA3-384 hash:	3e30e55d8c288c7f829622ba1ac673f28212723c6216ded12fcf39469c05d59df1bcd40d5ab9809ea528adae4c706cda
SHA1 hash:	5281e8047d08086b3acaac190307f78a7d4ec3c5
MD5 hash:	a4bce92a13ed75b4a61d0b33764de8ae
humanhash:	don-winter-violet-nuts
File name:	ISU8109C5352024.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'999'360 bytes
First seen:	2024-07-18 05:47:55 UTC
Last seen:	2024-07-24 19:04:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	06249f041b2cdab25d6c331a97469bef (3 x RemcosRAT, 3 x Formbook)
ssdeep	49152:a01xRoq0SqdSo1s9Z7N/pilLbWQ87oFfXUiUDL1jPGWp6lTdh:End9UvyJ
Threatray	69 similar samples on MalwareBazaar
TLSH	T1DC95CF05E3E845A8E977DB34CA629333CAB178561731E58F065CD2052F33EA19B7B326
TrID	72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.EXE) OS/2 Executable (generic) (2029/13) 2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Remcos-10032464-0

Win.Malware.Dacic-10033090-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6698ac9d936dc865ddc76de7

Tags:

Static Generickd

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

hacktool lolbin microsoft_visual_cc packed regedit remote shell32

Link:

https://www.filescan.io/uploads/6698ac987b9add553ed6bc27/reports/0daeaf86-c43b-4e36-a5f5-c621784c51c1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f211e14c-219c-4626-99be-52def07b79d9

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1475667

Signature

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2024-06-21 07:45:40 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=shpf2zcn6j2yrxc2ydhth2icuybsiaybf4dkqsza3y6z3lglpdqq._file

Verdict:

malicious

Label(s):

formbook

Formbook

04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa

Formbook

63c54ec22929fcc9f94619b4424942902bac2fc902febf05d7bdd95191ab5fc6

Formbook

904b8e3088d91ab3b5c0929d7bf5b8fe47d11a481e72a9a7084bb6d07b014169

Formbook

91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1

Formbook

9f9f5bfd860ce79ed81a7c5c1252549f315fb530d862f6e829cedcd2e69d72bc

Formbook

+ 59 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240718-ghfwcszhqd/

Behaviour

Runs regedit.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f745bd9c-eacc-44fc-8e6c-dce0311caf60

Unpacked files

SH256 hash:

91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1

MD5 hash:

a4bce92a13ed75b4a61d0b33764de8ae

SHA1 hash:

5281e8047d08086b3acaac190307f78a7d4ec3c5

Link:

https://www.unpac.me/results/f9bc22be-5362-4e17-89d2-43a0196bba71/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/91de5d644df2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91de5d644df27588dc5ac0cf33e902a6032403012f06a84b20de3d9daccb78e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::RevertToSelf ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken ADVAPI32.dll::SetThreadToken KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::DeleteVolumeMountPointW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::FreeConsole KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileExW KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptGenerateSymmetricKey bcrypt.dll::BCryptGenRandom bcrypt.dll::BCryptOpenAlgorithmProvider bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyExW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExA ADVAPI32.dll::RegSetValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample