MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0d90eeab3921102529454f3438972973cd45631584164a0fa6fcbb393d9d8cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0d90eeab3921102529454f3438972973cd45631584164a0fa6fcbb393d9d8cb
SHA3-384 hash: 8df73acc28a75feafe69b238b37b1300f4f67495deace10b556ee4bbb4afae6177b919dff0bb30f36f889c3f7d58aa9c
SHA1 hash: 200bb4b564ba7f7f9273f71d5d6d6dd06f45f91b
MD5 hash: 57fa79c2f45c1c92cf66cf8bfdb7bc84
humanhash: pip-foxtrot-gee-purple
File name:SecuriteInfo.com.Win32.Trojan-gen.30004
Download: download sample
Signature Formbook
Create hunting rule
File size:998'912 bytes
First seen:2022-09-16 14:00:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7338c7ae237b509c01233508a9c58a31 (1 x ModiLoader, 1 x Formbook)
ssdeep 12288:Mi8HjEB1mpzdFnoIvtUg2jIEsnciI50wv2ykDooyZGbR48yArhf7fvq:MvD+mpzdCIvtUjmnzfXooX48yAlv
Threatray 14'386 similar samples on MalwareBazaar
TLSH T1BE25AFF5B1F08733C023553DCF2762A9963ABF205D14A84A67E13E4CDF796C1242AA67
TrID 44.6% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
13.5% (.SCR) Windows screen saver (13101/52/3)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.Trojan-gen.30004
Verdict:
Malicious activity
Analysis date:
2022-09-16 14:15:31 UTC
Tags:
installer trojan opendir formbook stealer
Link:
https://app.any.run/tasks/9bafb7ed-63e3-4fb6-82bb-389a73420d7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310562/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.30004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37886/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/632481a8b564f001cc8e349f/reports/234d9e72-73a7-47c8-bfa8-f7190766612f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef388b2a-58c3-4980-9858-86cad8add387
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071649
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0d90eeab3921102529454f3438972973cd45631584164a0fa6fcbb393d9d8cb/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 11:31:47 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udmq52vtsiiqeuuuktzuhclss46nivrrlbawjih2n7f3he6z3dfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526
Formbook
4ed2e62c7ba6acded6001155a43722102f950a3b2b5bb33a4f0a3597a2d6a8ff
Formbook
4ed7500498bf6e841d2089acf3ae49e8a9a29c67926c390ebcc1a36a17cd6329
Formbook
55f287c30331608f0796a2c9bda16a5a9429b7cb0c8d3928d2ee63184bfce9fb
Formbook
8b52c0ca8e1117f7be2e09a6ed854c4a7131d1f0950fcabd665999b96e254bf9
Formbook
a139b8fab8e24344af7b4f5a261440cb81449a71449e20e1ab16abdd4e35e909
Formbook
bd06c34a413a4ca8e49ec57f8ea6f52f69eb16c4fce86db93761c4da50c94edc
Formbook
bd80461f8ced83b6ef02cc5e7c678418da890aed3941b48d42da4c1cab3ce39c
Formbook
d2183bf60c2185315340c5cf7787b84f285e4e34e3f1d55ee8ab2bc6dded0d94
Formbook
efa3e40934344f2397c3494cbf46481ad7d51134e9da157ccfc9d4a9e6e8cbd9
Formbook
+ 14'376 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:od65 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220916-rbjc1sbfer/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/650339ed-3c48-4a51-9067-73bbeccb0747
Unpacked files
SH256 hash:
a0d90eeab3921102529454f3438972973cd45631584164a0fa6fcbb393d9d8cb
MD5 hash:
57fa79c2f45c1c92cf66cf8bfdb7bc84
SHA1 hash:
200bb4b564ba7f7f9273f71d5d6d6dd06f45f91b
Link:
https://www.unpac.me/results/42bece1f-2dab-4640-8ac5-62bfee877f39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0d90eeab3921102529454f3438972973cd45631584164a0fa6fcbb393d9d8cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310562/

Comments