MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5
SHA3-384 hash: 5f83a1e1b8c980da5c230f50e9779ae9a82c157e855801dbec0f3e7292e6de7664a03f65f287a0e8324c966f11f571e0
SHA1 hash: dce5decd11e16806194c3051e23b203e080d3475
MD5 hash: 73813d02ab35db71ea6a4fedff72ab9e
humanhash: edward-autumn-twenty-dakota
File name:Halkbank_Ekstre_20230718_080713_458894.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:776'704 bytes
First seen:2023-07-18 06:33:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kf+Z1Q8cW9RoFDfb/WT4UkuZzRwEYjwpo/l2gG9GMw7F50hQQ5Ua4Gbiu2oX:kGU8cW9RoFDfzW/ZzRwB8pVgGevnVjW
Threatray 3'220 similar samples on MalwareBazaar
TLSH T166F4F01033399F17D8BC63FD9560661843F96957222FD3448ED73DEB36AAF404A42A2B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe FormBook geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230718_080713_458894.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 06:35:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/96afd3bb-7b54-48a9-876a-0ec87ec8061c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423235/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.16515.5039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b6325d87b3dbad8aacf19f/reports/d506823b-d79d-4a00-b30c-1c3ceaff7a0f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d33b6cd-a55e-449a-97ad-b0f5cbd94170
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275004
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275004 Sample: Halkbank_Ekstre_20230718_08... Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 7 Halkbank_Ekstre_20230718_080713_458894.pdf.exe 7 2->7         started        11 QQYDXYVJyvmHX.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\QQYDXYVJyvmHX.exe, PE32 7->31 dropped 33 C:\...\QQYDXYVJyvmHX.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\Temp\tmpF24.tmp, XML 7->35 dropped 37 Halkbank_Ekstre_20..._458894.pdf.exe.log, ASCII 7->37 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 13 powershell.exe 19 7->13         started        15 schtasks.exe 1 7->15         started        17 Halkbank_Ekstre_20230718_080713_458894.pdf.exe 7->17         started        23 2 other processes 7->23 53 Multi AV Scanner detection for dropped file 11->53 19 schtasks.exe 1 11->19         started        21 QQYDXYVJyvmHX.exe 11->21         started        signatures5 process6 process7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 19->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 05:24:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v76hjw4qnjvvpwkavechcicjek4xpbbg4hppws7fwzctbcy2hwsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f
Formbook
0bdde3cb5bc10aa2aa88e00599e59b6ebfb1ce24fe78dc2871ba3c8118f61c91
Formbook
2cd9e8fc5b73c35422b79574233937370a03f6714ba9e813da80ac2974b4cf91
Formbook
455479a2d31bd901fdff62e67ec93e40f80e5956384e93e5030132d4a490501f
Formbook
56ad658ef29551d86add3dc7f16538402f1d894ec746bdf14444a4b01deabda4
Formbook
7997a727f9b2d2bba8f6a846dda7f4640c5b3d1d31db85deb0ef1c4ff05574a4
Formbook
7db4eb09d5e3b7b8cb37539295da0190b1c1416898804b297e1bc7b5f5eff9e8
Formbook
80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15
Formbook
bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e
Formbook
d4bb1c789100f6305c61e2be96351d53f20c091fa032948fcece3f73a29e0861
Formbook
+ 3'210 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-hbrjysgf67/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
c4aa2a951d45c5dcda2a9fcc74303e04b2855272f1abb124c5d0b0b3b6e1bad6
MD5 hash:
ac60ea23ca3cdbd89e0815d94c5f0bf8
SHA1 hash:
c6a40024710286e2f5ed6094dcc1cdb2aefd7f6e
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
Parent samples :
351e57f3d222d0e1fd7639e2853d6e0a25025987c4cbfd232d22728e83debc7f
affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5
SH256 hash:
adaa803ee32e3399c7f9fc36c554213ab7f89675c9e59bd72d6dc4bb83669839
MD5 hash:
48803e602c57905524d0abb53d106e93
SHA1 hash:
36a32c7211f36b9e000c65249071b13b88547698
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
SH256 hash:
c1796a8cf6be4b31342d3ba730ee278132be920a0b0946531edfd5d3ab2415ef
MD5 hash:
594173a93a04d2b9ed53ee505a9d418b
SHA1 hash:
f2c5e775bf98475700c428dd92c2d25ee330e96b
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
SH256 hash:
402e4069487317fae856f875e2b39cb85e42a61140afcbf2b42be3c92a6c42d9
MD5 hash:
385394edfd7634ad94d6efa25adf68b2
SHA1 hash:
0c2e5700bf7aaefd0623bd6d2aafae1111a3a560
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
SH256 hash:
affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5
MD5 hash:
73813d02ab35db71ea6a4fedff72ab9e
SHA1 hash:
dce5decd11e16806194c3051e23b203e080d3475
Link:
https://www.unpac.me/results/42954edf-0023-45d5-a398-bb32f355a492/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/affc74db906a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe affc74db906a6b57d940a90471204922b9778426e1defb4be5b645308b1a3da5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/423235/

Comments