MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
SHA3-384 hash: 99388987fa598abe0b2102f5305c6523f3ab7efa2c49477b3100324e528f605a25beceb268a061217d4910419dc35a00
SHA1 hash: b4358a09799a94808437c65b28876b1274728b84
MD5 hash: c62867b099db5616a4a6d1ee4b16ba98
humanhash: illinois-pennsylvania-bulldog-carbon
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:835'584 bytes
First seen:2023-06-15 16:08:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:TlKnu/EXqXdVcW0wWkD2IDCd1QHrx2H4W8YJ97bu+uRpAp:Yi4qXdVD0wWmO1ex2TNJ97a3pu
Threatray 2'855 similar samples on MalwareBazaar
TLSH T1C205DF80723E2967EABD87F50250527097F62E5FA55DF6E80CC6B0DB16F0F814A41E2B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0030684dcccc7010 (12 x AgentTesla, 7 x Formbook, 6 x Loki)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
No threats detected
Analysis date:
2023-06-15 16:08:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7fdf8d4-1210-46f4-8e4a-4fa98cda3e06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399246/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67514365.22578.5995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/648b379fdea4ac2289ff4d6f/reports/51f306e6-dd0a-457b-b2d9-c3aa51b54bc9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a3e26f6-0953-4d36-90b7-efb3c0f6a31e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1255437
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888457 Sample: SOA.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 15 .NET source code contains potential unpacker 2->15 6 SOA.exe 3 2->6         started        process3 file4 11 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 6->11 dropped 9 SOA.exe 6->9         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 04:26:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwcbgm43gh6d2hoo2w7kbkmksxomk5irbc2m6fktz4caysrblg4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
032454dace97a2e1d466b0a2749f8a3fbaac125c110a89f43a1ecac98aa05b49
Formbook
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
Formbook
04641e247441a72cb287998b6f36b49959d43cfef538dd806aea04a8606817fb
Formbook
24f98f7fef3de7a8c4ae83117f7fed32c749684bc87cdcc7d1c96236d7278e03
Formbook
354c8752e895e413f243d8893cb1ba53c61d35c7e44233dfc59b85e382ec3c9b
Formbook
833a839bf412c22e06f2a3c0622e460df8fc5edbf55cdad09e7b76d5d73dacaa
Formbook
a85d2aa65e5b5d69769ff7dd1a63e90de9bd7f96a76fa96c52137587b63d1016
Formbook
d2b52bb53b70d2c91072c917fec7a81ab9de2384eafd1abe8c66e85f5b3e85ca
Formbook
e6d16fced75e8265e62b73cf660a303c0e03f50cead978df78b0a05f51aa42dd
Formbook
e83a100ef343119544c86c96100a05b5a710fc04479d6ac1673cc5ec6c8d11bf
Formbook
+ 2'845 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230615-tlsesaac9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
63bf875417a4d14485debe930a5948b79f02b45bd9669c530e717d929bb8da99
MD5 hash:
f927688f7160b7a62052b1d3ff01d77c
SHA1 hash:
bb0924d0778ae7ca1992c3fedbc4f3a6301584cf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
Parent samples :
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
ed570698ccddfc346f65b5b86045d8af239e0d2400acd5836818b95e7b658cff
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
b45f9e29351506203a4101b1559e928ec3de39850008d82598b8ce1c3a7a13c3
117657ffb63ef0b6355173babb3e4fd141dc8be775e2ef30c23953b6396f4f45
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
SH256 hash:
f01a6fc735878ac63e8b5585179a21b4dea5d15b5c679ac90cbab1a9d36958cf
MD5 hash:
3532237c1316ef2cc8a39372a6b5f72c
SHA1 hash:
5cf317deeff0ce552c933c7d4e44ef3f5bd7746e
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
SH256 hash:
d44ebda79e92f261591600e46db7c8c069ec046d93aa480a45e250543eda6970
MD5 hash:
d67f099ec1fbccf8dc0dfa098b88b0da
SHA1 hash:
e15a6bafab679225257796f5fecd70afcfbba515
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
SH256 hash:
d6d27ed1939b8527bfaab77b5cda589e3cdc842639958f7b4b63aed35ac7a7ab
MD5 hash:
72b601a1609673f221ca537200e6f074
SHA1 hash:
9bd391169223d5d967cbda11e237b68204cb8511
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
SH256 hash:
019c0c00a682c6e6f255d1ac56d5d51cd29d728dacc7a5994b1d39d087901f80
MD5 hash:
75689ddbb32d3941e77247c624b33ff1
SHA1 hash:
96f14871e5943036d932c52a2317094451aa617e
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
SH256 hash:
4337d234ee37ab7f45ddac3bf07d37d980b8717b07b0dc5a102ee9013fb3c252
MD5 hash:
85f066896897b96c239848a890e2a4ad
SHA1 hash:
2218adaf800b3e1ae9a4a18cb7651d279a700332
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
SH256 hash:
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
MD5 hash:
c62867b099db5616a4a6d1ee4b16ba98
SHA1 hash:
b4358a09799a94808437c65b28876b1274728b84
Link:
https://www.unpac.me/results/2322ced6-a7b4-4652-a1d7-de1b4ee6c7ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399246/

Comments