MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 16
| SHA256 hash: | bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38 |
|---|---|
| SHA3-384 hash: | 42d56113a7e7f50eddea9f4b6e4492179217dab2b38eb821e94afe28246c845a03bc0144de1ecbda2b18003030d322f1 |
| SHA1 hash: | 1e5efb5684744cdad3710e2baea7a61c1874029b |
| MD5 hash: | da690707bf6b9eb7ac725ffaab138475 |
| humanhash: | mobile-chicken-tennessee-oranges |
| File name: | BS Orden de Pago 20230315-1000_0000015444552000_001888.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 847'360 bytes |
| First seen: | 2023-03-17 12:43:32 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 24576:OJQwcozQuRMLoqEAjoIpDmLRSacJfSartfFC1OQ:JopMLoqEeoIpDmDcJfSa |
| Threatray | 2'375 similar samples on MalwareBazaar |
| TLSH | T18705024DAAE4982AC95D0BFAD4831C2052739433AF56DF0AACDA00E61F223FBD4559D7 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| File icon (PE): |  |
| dhash icon | 8e0d8c1414e87f8e (7 x AgentTesla, 6 x Formbook, 4 x SnakeKeylogger) |
| Reporter |  malwarelabnet |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
BS Orden de Pago 20230315-1000_0000015444552000_001888.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 12:43:45 UTC
Tags:
formbook xloader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
formbook packed
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2023-03-16 12:32:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 24 (70.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 2'365 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:jr22 rat spyware stealer trojan
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
a3eba40fbfb3681e240ed1dda348e16880a4e06a9990cbb6248a3be71bad4650
MD5 hash:
da2d6df235ec9fbc62e4787b0a0d2864
SHA1 hash:
846014461b5efddb0bf58dc62a5a2791aec58dbd
Detections:
FormBook
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
53cc734dfa4d7b0bfa0cd0e14af42363792980b96bf42ef0581a8cbc05f5bb82
759145621f94949b40fccce63ea37d4d797d9a8548e0e2243bc53cd8b38d5ed8
14b54b7a4da97a23f3087f1b7641136dbd2d54930722dbf44afbc582e8aeb93a
fb153302b37f24aa962a21dfd2412a8066db5a7440f90ecd9611992c265af5b7
227b1adbf8ac110359ca5f0b02f8c371e8305efd24dc6864d3fce51f703ba76f
676416e2c1407bc9019df6f3228e3fad314beb2c7407a537cdeeaddb85fd1360
d129440d60999cafe3d6b5dd963f432a9dbcf984ecbaf6a8e804fa83774aa27d
4a8431b326b81b6a7511866390b22fad55234b730d7b1f02ff49664651d23b05
884a00ed9586fb90dacafb862e1109e3bf77181e0da9753f8d1d14447b3ca377
babfc42e0af2245a67e8b245bdd1f5e11c840cae6e06ecbc6593ed62f4dd2175
457abec90e7a3b7dfbe608a34190a08b1a8ef3b16afe476abb39678da853a7da
a4a1a724d5b3303e41f303298a3506cdbfa9913a43381c374968b3b5e015aad4
d51e64e598f57356d2e7f0ab76723cc0d1efef0c6ed396d29efa50a229a82a4d
95ff1b2ac39df0ad2ea1949b63257b6312caadc9da7fbe292f71e6a3d4c8c624
49790af2d4dbcb19d9467b8c3fffc208ec92eb4368bb2e98102699ec28501667
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
49bee43f1928c8c6cf9c0d2d692df4581235784d51ded3051685fd18a51d5599
c2a2e935606e9b8d5ffc48c3fe91812e29f8abf0de31abfd6eb4d014fe781e5a
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
22445431e206fbef66234fe0e6bea47e01e1119157048059c918500027f016fe
1edc58836efa9d62f0257732fd5729bb5b36df6312aca2f29d12dce0731a0c2b
4abe84412ba863045280e803595082ce90ce2684640da996c6f2987a9c4cba32
e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6
32a657e250df4fd725a82f39075a8b2286d4e5a0d305df66deba979488c22312
48b6f902f4f54d1b87cac19db77d780623796062a1be32c858c8cf1881b1acbd
a14a7402e2a08d44585f37122f323cfbfd13f2e5d36377242e60dba60a348610
e63c3b11d92150b40ea8e1a34314be6055aee5214b3558473c539e9aa33ec150
35511df3a80e96c275e6d63f58921358bf51dbef3f981a316d2212242112ba9f
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
b3d799fc625b259d9572ca933476c856f5cd821cde94e5360f1ea1921a6427ec
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
8987e10cdb8602039c7980d8a3d3736dbc9c65da17ffbc1a5844ae1da1d2ea9f
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
da09c2de0b3ff15f2a68fcb18c12bd974a1b67d282f09f0941a64d08d9af83a7
4f878a5470b9cd89d1db651b83471d169e825150b4063a1cce12ea0e747b187f
c3a388437fe334c0af827aaba2b9bbc4bd622b93faa6f8ecf39660e110a4affa
1c38daf9f1fd8cf3cc954ac18893d3d7cd9ebee75b49ce29fb885910d83740fd
ae5b981a55ba0eaa4cb03700d54e3a78799590691315b2973ef1e4e16b2e8c9d
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
35e4bbcb475db082d2dda25b1e2acc001567abe7bbb4c0975827c800a529b2f4
2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56
a6821b8dbe19bb7e7b1b43e26f7a48c4b3ded583ff774e7a754b303af70ffe10
d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a
4665c6ecef9d50ede04cfe2946684aead2040e9e1321d6324801e18673f67271
033533baa2ac7c6e43f18048aa02f5b150ab86384fd95fb4d49e58660f2c5d2f
3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc
c4333322e47f6528c43a77936dea4bcf9230a3ec68c527d931d3c1c8f6232baf
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0
b6209f2e0f32d7b0b3bc43b87bd3b44349ea80587db13d6d02ca6398d4459f6f
3e07d75e18bdabe5880fe8e4dbd5fad1b9d2c111ee6f43b35ddb5ff8286fd2e7
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
ae53e378d16d207d5bf419aba715a89f84a0db8e7de1fb4ff0545d54cac1eb50
759145621f94949b40fccce63ea37d4d797d9a8548e0e2243bc53cd8b38d5ed8
14b54b7a4da97a23f3087f1b7641136dbd2d54930722dbf44afbc582e8aeb93a
fb153302b37f24aa962a21dfd2412a8066db5a7440f90ecd9611992c265af5b7
227b1adbf8ac110359ca5f0b02f8c371e8305efd24dc6864d3fce51f703ba76f
676416e2c1407bc9019df6f3228e3fad314beb2c7407a537cdeeaddb85fd1360
d129440d60999cafe3d6b5dd963f432a9dbcf984ecbaf6a8e804fa83774aa27d
4a8431b326b81b6a7511866390b22fad55234b730d7b1f02ff49664651d23b05
884a00ed9586fb90dacafb862e1109e3bf77181e0da9753f8d1d14447b3ca377
babfc42e0af2245a67e8b245bdd1f5e11c840cae6e06ecbc6593ed62f4dd2175
457abec90e7a3b7dfbe608a34190a08b1a8ef3b16afe476abb39678da853a7da
a4a1a724d5b3303e41f303298a3506cdbfa9913a43381c374968b3b5e015aad4
d51e64e598f57356d2e7f0ab76723cc0d1efef0c6ed396d29efa50a229a82a4d
95ff1b2ac39df0ad2ea1949b63257b6312caadc9da7fbe292f71e6a3d4c8c624
49790af2d4dbcb19d9467b8c3fffc208ec92eb4368bb2e98102699ec28501667
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
49bee43f1928c8c6cf9c0d2d692df4581235784d51ded3051685fd18a51d5599
c2a2e935606e9b8d5ffc48c3fe91812e29f8abf0de31abfd6eb4d014fe781e5a
00f7a2f6f6aa920955b8102fbb0df70ed31a8e063f0da8b31297049236313590
22445431e206fbef66234fe0e6bea47e01e1119157048059c918500027f016fe
1edc58836efa9d62f0257732fd5729bb5b36df6312aca2f29d12dce0731a0c2b
4abe84412ba863045280e803595082ce90ce2684640da996c6f2987a9c4cba32
e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6
32a657e250df4fd725a82f39075a8b2286d4e5a0d305df66deba979488c22312
48b6f902f4f54d1b87cac19db77d780623796062a1be32c858c8cf1881b1acbd
a14a7402e2a08d44585f37122f323cfbfd13f2e5d36377242e60dba60a348610
e63c3b11d92150b40ea8e1a34314be6055aee5214b3558473c539e9aa33ec150
35511df3a80e96c275e6d63f58921358bf51dbef3f981a316d2212242112ba9f
3130fe0040aca5135a6c22251a313fcaca05c404082727d8191545fccfcd3a02
d81949804bc29604ac2de2ac9f2d360deae54a39d28edfbc9b323868b619b059
b3d799fc625b259d9572ca933476c856f5cd821cde94e5360f1ea1921a6427ec
c1b6263682ff4c894af9df16a4f6c63bcd49248f2a580b3a3c86012d44388437
e8bc95bd3989e65c252e733adab5c16d51b18c19bccdab299d914cf6df922826
8987e10cdb8602039c7980d8a3d3736dbc9c65da17ffbc1a5844ae1da1d2ea9f
2016dcdb738fdd4dbcc09bad9e63604259b3b43ff2df2c9a5fc8d26d0cf6ca4c
ae1f2c8fd75695601dbe0f3b3fd00922495add9f623a81c0989c0fd17f10776b
5fc72e527c95078de299e57ba9a01084691efbc8cd9d4a5d5999db4506c6f46a
da09c2de0b3ff15f2a68fcb18c12bd974a1b67d282f09f0941a64d08d9af83a7
4f878a5470b9cd89d1db651b83471d169e825150b4063a1cce12ea0e747b187f
c3a388437fe334c0af827aaba2b9bbc4bd622b93faa6f8ecf39660e110a4affa
1c38daf9f1fd8cf3cc954ac18893d3d7cd9ebee75b49ce29fb885910d83740fd
ae5b981a55ba0eaa4cb03700d54e3a78799590691315b2973ef1e4e16b2e8c9d
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
35e4bbcb475db082d2dda25b1e2acc001567abe7bbb4c0975827c800a529b2f4
2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
b3811fa28d3e22cf5029476f6870c54e7fcd4d68da1342bb199ca6d41ed9ff56
a6821b8dbe19bb7e7b1b43e26f7a48c4b3ded583ff774e7a754b303af70ffe10
d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a
4665c6ecef9d50ede04cfe2946684aead2040e9e1321d6324801e18673f67271
033533baa2ac7c6e43f18048aa02f5b150ab86384fd95fb4d49e58660f2c5d2f
3adaefb94e006670d66c9675ecf47b65a27bc39325bf96432c79ce47d473edcc
c4333322e47f6528c43a77936dea4bcf9230a3ec68c527d931d3c1c8f6232baf
1a166a2469e8634ab832469a47076affd97eec7d5b4855f33879960e559a235d
679e687ae1611a7eb7d00d06c9f8ae37b9168838c9ff9b822174f6b0de6304d0
b289fe67b0185e1ba0177f583675ce399772bf03fd813d47835c45427f71fbf0
b6209f2e0f32d7b0b3bc43b87bd3b44349ea80587db13d6d02ca6398d4459f6f
3e07d75e18bdabe5880fe8e4dbd5fad1b9d2c111ee6f43b35ddb5ff8286fd2e7
2484791ea3c160c3de266ebd831f707da64d5e5f31ed81270bf18947128d0933
ae53e378d16d207d5bf419aba715a89f84a0db8e7de1fb4ff0545d54cac1eb50
SH256 hash:
21d7b2fabe993190abe251195abff3464fa5b86e13e5582e5f8306f05a67d9e1
MD5 hash:
edc153f446aea46103e2fca3fc546fa3
SHA1 hash:
cc6990d318bcc649bf2c8dda7eaf6797ab352d8a
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
SH256 hash:
5836428d8df4e6ce3c7d06d760ec70ee815ade055b24c3c9eab87ec292dfd0fb
MD5 hash:
9ad7d6a00fb23042286342bab5339a52
SHA1 hash:
7abac9e2eaf8796f7d69ec28b2cd8b3023ae6744
SH256 hash:
f12f1d40abdc1b9bc9b9e63278d2431cd9413384553ba3052952e7ac41d7c529
MD5 hash:
f86d34df8cec3a3ed67a8b3e5acceaa0
SHA1 hash:
49fb51165f716b044bd70b0a60a757d20830a116
SH256 hash:
bbce59cd09b98759f1e8de287441906c11a8698581e9a84e302626e48abc7c38
MD5 hash:
da690707bf6b9eb7ac725ffaab138475
SHA1 hash:
1e5efb5684744cdad3710e2baea7a61c1874029b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.