MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
SHA3-384 hash:	d365215cfd929ad70b124a93f40521d5418974766e13a91ec6d0900296534cac5f5aa74ddb0d68f19a2062ccd2ddc420
SHA1 hash:	2fe7d2b6c0c0198e44c935675929e44a1085b5bf
MD5 hash:	c5356c7eec60fb77f7538a743cc82e61
humanhash:	utah-muppet-lithium-indigo
File name:	LENG EAV GROUP-pdf-scan-copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	530'944 bytes
First seen:	2022-01-31 04:49:30 UTC
Last seen:	2022-02-09 10:19:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:ucqiOnVO7JhJ+cicM1CtLWCypAD7V83OTXeJ51XlBV:ucqJVOVz+1cMOqCypiWoO
Threatray	12'961 similar samples on MalwareBazaar
TLSH	T131B4BEB461BB8651F10BCA74646DF96002F234E3A9C68F7957293681CFAAF543E8470F
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LENG EAV GROUP-pdf-scan-copy.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 05:01:45 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/fd5a1ea2-11a7-425b-abb4-afb41a778e04

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/228282/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61f76a84fc92af0d80a7184c/reports/7a5e171d-e502-47d5-8750-e1a1b88bafa4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6173df0-0e5e-4a71-a986-5cd9bf25c1b0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930536

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-01-31 02:13:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=thrwprkef3cj6fcmgmhwkghimsgcm3fvhkojapsyfhhgldhwzyfa._file

Verdict:

malicious

Label(s):

formbook

asyncrat

Formbook

2a2187ae775f286c2400957b71aac1c550779fc6652a710d126546d4d4879f0f

Formbook

6403d40c99b5036c9410e11c11872bdceb1955da70a17bdb979cac381d09cc74

Formbook

711f3855c0fe6398f1fdb5a870de829c005b60cd4c90bd8ecae5780b9427716f

Formbook

73c029fbd27d0c281ac91d030160bd9ba859ab57db73b5fd7011f470ab90fc8e

Formbook

7ed04ae044306c081040b3b0711a8d2fc725996e5f529a94c7ca88b56a944d75

Formbook

86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718

Formbook

b63c82c7ada645bc96da74ebd031970c0ee2e7a568c2929181c146144682b2c3

Formbook

fedeb19031bcc0941b0943dd3ed45ee6095b8c489c072c85e513b414abf8acf5

Formbook

+ 12'951 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m17y rat spyware stealer trojan

Link:

https://tria.ge/reports/220131-fgb1cafbej/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Unpacked files

SH256 hash:

ab470fd714fc34133c14152b089ccf3ab67b30bd4b4b2f43641988dae8024d3c

MD5 hash:

4d770b2150ee0e4b34444f7c96e8f33c

SHA1 hash:

1cec212039c7d3758cf562ec504927da36ace1b9

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/776ce4e5-e9e1-443a-b7ed-c6585ab91194/

Parent samples :

b0d65cf9bd6e65d3d8681b4366ceaa50cebea2895a960a2ea9972fe07a09d614
6403d40c99b5036c9410e11c11872bdceb1955da70a17bdb979cac381d09cc74
495be7b55ddb42db06efc3e8639a6943018b72a64d2917c356250ee517804e1f
75daacd428208a7edb9f0ae1221148fcc7145f9aaeab1579ff6899669d423280
ceff3e5d81586ce81d6e93178e30d16239827b4aefbe09a382e9f9fbf8635ebc
711f3855c0fe6398f1fdb5a870de829c005b60cd4c90bd8ecae5780b9427716f
d538d68cddac2610bba6c965956bbb1cc2db1c929a74451a97c39d3b5138c267
99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
bcba0056c80d1a5c320dd74fea9caba51cc2f41c4d05215df1ab825a5ca10de4
95773ba387f93d567c9b0dd7e7c6a71e67e9545b146231c7acfc24d040fdd249
74d29246ce34814d9cfb6861abf061483f9eb5087181f345e68bc14a5d4287b1
1b66db6f934b729f050c4d916bd3942e279224912b56d729f2b194a53b03d7f7

SH256 hash:

6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc

MD5 hash:

60a604887b3616e3ed86d81fab0a9ebb

SHA1 hash:

8db84f5f4c569c86c69aff464b2ffc4ce3dafa20

Link:

https://www.unpac.me/results/776ce4e5-e9e1-443a-b7ed-c6585ab91194/

SH256 hash:

356c246faad7e9970a2ebd8e2f89907005f87c454d1e00396eef6cd35b768dea

MD5 hash:

01fe65b74255695f4042172cfdc83260

SHA1 hash:

726e9678598e2d7ff1011ce67976f9b99019e814

Link:

https://www.unpac.me/results/776ce4e5-e9e1-443a-b7ed-c6585ab91194/

SH256 hash:

99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a

MD5 hash:

c5356c7eec60fb77f7538a743cc82e61

SHA1 hash:

2fe7d2b6c0c0198e44c935675929e44a1085b5bf

Link:

https://www.unpac.me/results/776ce4e5-e9e1-443a-b7ed-c6585ab91194/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/99e367c5442e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/228282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample