MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0
SHA3-384 hash: c2be95851f481cc6ba69f33304eca7e9fe2e783d87f45905e04d5224f2f8edc6316d82834eb12fa32fc7905fa1775b62
SHA1 hash: 5978686177e06c001204be8aef86ccc28fd92db5
MD5 hash: 31f682d265bb2bf6845a98e383d23ede
humanhash: ten-lactose-kansas-minnesota
File name:0630OTT231156917.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'127'936 bytes
First seen:2023-05-31 09:55:15 UTC
Last seen:2023-05-31 11:15:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:lX/LaVUH999yvrVq6UDWlR83Kt3Ffqcbo/DHXWRV89LJ+hD1P8:xTBH9yvrJmWlQK9FfvU7XIV89Lu0
Threatray 3'066 similar samples on MalwareBazaar
TLSH T11635F11023BF8F5BC57F67F20611577097FA6AA9743EE3198ED261CB15A2F400A02B5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
0630OTT231156917.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 09:57:18 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/41ab56e8-0901-440e-b343-edc461553347

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394024/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.28170.4766.20920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/647719b3d109727b63fdda0e/reports/d5d5f945-e65f-4fe5-aa14-a9014314ee67/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/853eba10-0c55-4690-8b4e-f5970485eb02
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245952
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878970 Sample: 0630OTT231156917.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 0630OTT231156917.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\0630OTT231156917.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 0630OTT231156917.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 2 1 14->17 injected process8 dnsIp9 30 www.ihdshvbp.shop 17->30 32 www.forgottendemocrats.net 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 20:13:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whnmeufxsaeq25iejpyut626knzp5uj5jrcjthsgkoqvtwlmmoya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02b060c393fbc76a082ef0411f28e2be60bce1af80ea2df91f003e9b8a762b88
Formbook
0a8c3887feb56461cbd1e6263d7729d49c2651ce928fc888345fd99e88aab189
Formbook
16c87c0de9538e8cac5d187949b3fe9b1a11ee1ed2bcdcc726ea47115d6701e1
Formbook
291f9c211eed167fbf4b31411d79c7447a09b29dd2308dceacacc3fe31fa2364
Formbook
6f6635f95155f37d66c295977e973d28b681fb57fc50caf361e5e13f1037008a
Formbook
89dc8c98551c4f2b309fd2807b8bf1d24e1c2abd953930f95b5aa1987e0966f2
Formbook
9e392cb448daf1882dac5f6fbc0d736c76bed78befee2c8b513241b8ed6a95a0
Formbook
a28cb539852da2e100484ab8cee9613a28b2e68d409b99d80e27f4fb7f238b5d
Formbook
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
Formbook
+ 3'056 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ga93 rat spyware stealer trojan
Link:
https://tria.ge/reports/230531-lycabsee3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
0b45ded9f991e23530a7b6cf0c5899e373aeff8d6cda9dcb2ed6d5c18d75cb3d
MD5 hash:
3ab4fc80a90fcdb31b76062f31db22b2
SHA1 hash:
e6eb609b2b457d128b620bf2286e53e59962351c
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
Parent samples :
b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0
8df5b45068f0db6e7c557e62625444e14e5611f36682453ce80210cd1ec82820
136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e
SH256 hash:
bee4b6218a08375fa8bc13d5a1d2fe2ee72b525380fc65728b3d3087592ac27e
MD5 hash:
bd044d1ee5aec85a8ae4f46f2adb2f2b
SHA1 hash:
e4a507558757ba5d7e4d90314f129ddbffaa70a8
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
SH256 hash:
d9d5371959a4289cf33991cb68ad5176be406202821eebd9bb1c083c5e72e1bc
MD5 hash:
9c9f534abb540304184a3b9d876c9c8d
SHA1 hash:
01967ae6a35df9acdf47fbe384e79c7173827314
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
SH256 hash:
b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0
MD5 hash:
31f682d265bb2bf6845a98e383d23ede
SHA1 hash:
5978686177e06c001204be8aef86ccc28fd92db5
Link:
https://www.unpac.me/results/fe9730c4-81f4-4d96-a09f-5045e40de785/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1dac250b790/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/b1dac250b790090d75044bf149fb5e5372fed13d4c44999e4653a159d96c63b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/394024/

Comments