MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
SHA3-384 hash:	8d5856ca9071d1aea10d03b00e5eec48244bd1821a352b4033b08760659ccacc8138fc580311bbfd495405998ee311ca
SHA1 hash:	88acaab165522542fc7822a802a52106be3c0087
MD5 hash:	5e49722d1a57708765e4f0be7cb746bd
humanhash:	lake-blue-bluebird-virginia
File name:	SCAN00000026-DCTT_#HRTTMGHTWQQMTGGR467889.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	605'696 bytes
First seen:	2023-07-12 13:24:14 UTC
Last seen:	2023-07-18 11:38:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:DPw5CVJEHfnOYuAiOpskHnj9wqY7HBkPvBmE+NuC9/8D+DJwwYbav:7w5CV6H/OjAigs4wqEIpF2h9EkJwXu
Threatray	3'421 similar samples on MalwareBazaar
TLSH	T123D42320637D1B25C5A70BF922601A3053BD63EDBE31D38A0D86F4DA6D6DB484261F7B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SCAN00000026-DCTT_#HRTTMGHTWQQMTGGR467889.exe

Verdict:

No threats detected

Analysis date:

2023-07-12 13:25:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1c2a9cba-e0b6-4a54-bb13-109532588e1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/416835/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.28784.6156.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed

Link:

https://www.filescan.io/uploads/64aea9afb1d2dc145c1c8749/reports/6045563d-b387-42ed-811b-9a7a47e2648b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/da526292-3182-485b-bb0f-9d422b37b1bc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1271773

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-12 08:03:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgj6kkixwesacbiz7t3k3nrretmhydgfsthklcy5zzugx6c5pt4q._file

Verdict:

malicious

Label(s):

formbook

Formbook

0678008b99744da75d64b17e189a5f8934780a0ddf2384d8c24e4240f796dc34

Formbook

16bd868c6c2200864825de71892e8802f0f7f243f476dcd38e9d713bb0a5ee44

Formbook

5dbb4e38b75fcd447683c5c89948f3fb41373df5f1c0b15b9a907550e77ef272

Formbook

68f739e8cec56189a152729584f046954f13e32426331970eb755538a8008f1c

Formbook

719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513

Formbook

97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc

Formbook

aff3ca091be594c0710fcd51d369673e2a11bce28d21434cce1970c22eb8e5a9

Formbook

b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13

Formbook

ead9b9c37d63a3b18959e6f4926d76364408f76ed882fad8e8b34ec496702bda

Formbook

+ 3'411 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ed05 rat spyware stealer trojan

Link:

https://tria.ge/reports/230712-qnysssed3y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

c2bfe3cf49d8f58f67d038098d05a96a179f655214af343e76e86d4c41efa503

MD5 hash:

3094d31787bddcf36fb1e7c57ed65350

SHA1 hash:

781284b231e8ada8180d4ec18841aa8da79680b0

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/afd363d6-8a46-44c3-ae19-1530fae3e30a/

Parent samples :

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b
e4072afd21da31150629928a4916d6635fa499bd9ff0f551a0c6d5add6d877b3
5ad354e8575a8c5c293f1fa8a1a25de41078a35c843b330a4b7529ec9b042d9b

SH256 hash:

8546eb2e805a224e21988d90e4b7fde882b0e949d984c3a3824fa9ba3060b78a

MD5 hash:

47d699859de1c31da4ef9401e6e49afd

SHA1 hash:

ef061b3538383c308d7c3906e03ab5ea836a9d96

Link:

https://www.unpac.me/results/afd363d6-8a46-44c3-ae19-1530fae3e30a/

SH256 hash:

7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941

MD5 hash:

508ba12479b3d78edb93f63b40ab3b7f

SHA1 hash:

d72b842c46546e4e494c9338b530e305dae1d5d2

Link:

https://www.unpac.me/results/afd363d6-8a46-44c3-ae19-1530fae3e30a/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/afd363d6-8a46-44c3-ae19-1530fae3e30a/

SH256 hash:

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

MD5 hash:

5e49722d1a57708765e4f0be7cb746bd

SHA1 hash:

88acaab165522542fc7822a802a52106be3c0087

Link:

https://www.unpac.me/results/afd363d6-8a46-44c3-ae19-1530fae3e30a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a993e52917b1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/416835/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample