MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
SHA3-384 hash:	49d420c6bc311fb6ca3cbe77eeced10abffbd49ea237a91a82a3b8f83613a6b422f5ae703f93f63a79d1e02d96d691e3
SHA1 hash:	3ef863e4b67c17f80b60cfbbab4b9e35cc8e72f1
MD5 hash:	69d9d64735ed1e0b944f13f76039f88c
humanhash:	music-may-minnesota-chicken
File name:	SecuriteInfo.com.Win32.PWSX-gen.13195.29257
Download:	download sample
Signature	Formbook Create hunting rule
File size:	588'800 bytes
First seen:	2023-07-25 06:28:32 UTC
Last seen:	2023-07-25 07:46:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:cFqOf6/zrkBHsKanqgMx0HppO7fxTUApj2H/8vMR:FMOzgpRgMOfOlMHUC
Threatray	3'447 similar samples on MalwareBazaar
TLSH	T176C423042F7D9B57E9FFABB8086658C18AF1F9263E21DA061D4070FB166A71C07D291F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f4f0d0f171697130 (5 x Formbook, 1 x Loki, 1 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.13195.29257

Verdict:

No threats detected

Analysis date:

2023-07-25 06:31:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/edd04efd-318b-4dcf-b1dd-98e14f8931ed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/431864/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.29799.19738.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e256643-88e9-409b-b2aa-74e6ec897b1e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1278834

Signature

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-25 04:03:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ua5yv2atcndctdxvbs6zilkjxubexcwcevdh7fqgqjqa7shmdx2a._file

Verdict:

malicious

Label(s):

formbook

Formbook

3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11

Formbook

3e2763c4e10e822e79c3c8890a0041a0f978cbfeb7e4a78156c9b6aabf7cb4d0

Formbook

6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0

Formbook

7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484

Formbook

b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87

Formbook

bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a

Formbook

e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69

Formbook

+ 3'437 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230725-g8wz9sbe61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

2388d16f2f0aa2356b18a27b4dfb7f1cf92281ce552f8b345074f3f76c765557

MD5 hash:

8464437055d3802341c759fac19a4eb0

SHA1 hash:

2a9668faa9ac1adf7c844406cc29829d35e9294f

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/38dcd95e-2b6c-47c7-813b-561d62f86b56/

Parent samples :

3e2763c4e10e822e79c3c8890a0041a0f978cbfeb7e4a78156c9b6aabf7cb4d0
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4

SH256 hash:

bdcc7e9bf098a6231d3797ada9e1879c590ad0268ed049299602a99d0f6747ff

MD5 hash:

777d8633855ca251fb9944920f0d4165

SHA1 hash:

a63f3947f9d67ae2269312a49cd1587334439269

Link:

https://www.unpac.me/results/38dcd95e-2b6c-47c7-813b-561d62f86b56/

SH256 hash:

e143ff2ab0530bdcece7285065da05509c26167f46161b0ec7bf45af3adcb5ed

MD5 hash:

0b4eaf060a6afe5acf345d58e807dbb8

SHA1 hash:

b8dd934ff2b749d935fa3c14276340eb4393e5b1

Link:

https://www.unpac.me/results/38dcd95e-2b6c-47c7-813b-561d62f86b56/

SH256 hash:

30bb4e52f3984bcdd262d8ad3224ad14d0f2426da93f2479a1e6b94e9fc30155

MD5 hash:

29f9e1147f47779166332425eaf4709a

SHA1 hash:

29bafe2b69c148d3cf7e55feff2498f0810b02dc

Link:

https://www.unpac.me/results/38dcd95e-2b6c-47c7-813b-561d62f86b56/

SH256 hash:

a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4

MD5 hash:

69d9d64735ed1e0b944f13f76039f88c

SHA1 hash:

3ef863e4b67c17f80b60cfbbab4b9e35cc8e72f1

Link:

https://www.unpac.me/results/38dcd95e-2b6c-47c7-813b-561d62f86b56/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a03b8ae81313/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.