MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800
SHA3-384 hash: d9bfc763d18d7349c689d92166dc766a9c7dc6759228d7bbba47ba482864227a18b335e3a6f97182ea9877f481f9b154
SHA1 hash: c02e69092ea6b2dbd94645942e3a7eb68164f71b
MD5 hash: 0e3a09a736a93983edf8aedc03c1964d
humanhash: hotel-florida-oranges-north
File name:PO.19062023.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:279'998 bytes
First seen:2023-06-19 11:01:36 UTC
Last seen:2023-06-19 16:22:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya63oPOnYBsKj0MlEjrg3OUUGaTqloAmlZBzFoj:/YtOOnYpJWjryfdopxz2
Threatray 2'325 similar samples on MalwareBazaar
TLSH T17F5412187694C87BDAE12EB10E321B639FF8E6151074935F2B3877897A32491AD0F736
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
288
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO.19062023.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 11:05:04 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/335f9637-684c-44ce-a1b1-feb56a34ec39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400384/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.22779.26959.11621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91551/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/649035ab2e9e66969e6b61c5/reports/5a686a99-2195-47cc-9703-fdf4504c9551/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/550d982f-39e0-4822-b11c-96838077a829
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257300
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890316 Sample: PO.19062023.pdf.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 PO.19062023.pdf.exe 19 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\xtljwaa.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 PO.19062023.pdf.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 30 www.jaxsearch.com 160.124.149.196, 49710, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 17->30 32 www.iqpari.help 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 systray.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 09:23:17 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhmkrhubimwp4dae7clm7x5gtlvfjea4crkgbnfaxjuauzg2laaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
212eb6457e2cae481ba8533c34c29a37a75bb211f04bf86c60f3502f81820837
Formbook
4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757
Formbook
7100eca69ee44d96dd9a5b3ff0070d2a2778e827cfdabbb6fe96105d149b6426
Formbook
7ac2e4aad0054c77e7a2205d156da7032021be264702c8fa76eab7ebc44556ff
Formbook
80fd67b02253b03398a151f7c5392adfb32ad43a619a18c3dd8e2e8a876e9139
Formbook
83665b988b1a63b2d9eb4f3e3ef565f41a2871bfa2bf11d1e6ee62c8177f657d
Formbook
85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
Formbook
9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09
Formbook
abe4418b59e191a5abc3b8ea2dbab8d6dca92be6e909cb7fbe4a90ffeda3f599
Formbook
f309a5ac633edcbd01916f6bc4cfd10d90982f0443b57e19a5828fd70e83ce10
Formbook
+ 2'315 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mr04 rat spyware stealer trojan
Link:
https://tria.ge/reports/230619-m44r7sdd68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Unpacked files
SH256 hash:
7269be87efb4939fc31de9fee49dccbdf2dff38067a4a4f3e9c0eadd16890177
MD5 hash:
08059f60358e42d478fa75a4b2ddfa98
SHA1 hash:
1a2c29d7ce2275edd90b33ff844827f25085ccd5
Link:
https://www.unpac.me/results/5906ad4e-6d2e-47d6-8454-c13b237770c3/
SH256 hash:
a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800
MD5 hash:
0e3a09a736a93983edf8aedc03c1964d
SHA1 hash:
c02e69092ea6b2dbd94645942e3a7eb68164f71b
Link:
https://www.unpac.me/results/5906ad4e-6d2e-47d6-8454-c13b237770c3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1d8a89e8143/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe a1d8a89e81432cfe0c04f896cfdfa69aea54901c145460b4a0ba680a64da5800

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400384/

Comments