MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a
SHA3-384 hash: 02f8802f0af6fa1f9dc90100c6b60abfe89eafb7611fc9895734cf3e566a864d72dbd8763cea01ea6b5e020ed814ec54
SHA1 hash: 7f48d6433dcba358dcef74b4d76c62033055edee
MD5 hash: db200e65bd875cca2fe493f3ff1832a8
humanhash: alanine-pasta-vermont-two
File name:询价.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:615'424 bytes
First seen:2023-08-30 06:39:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:A4C0hs7kkIfUzSM+2ADlsvb/e+E1IIIb1uDtAHAz2N9At6qnjeM3:ATSnkIfUz9+xWvVE1TeuDtAgz2st6qnf
Threatray 429 similar samples on MalwareBazaar
TLSH T134D412229BA92F17D1B68BF908411E1403F839276460D7685E8573FF3AB4B497723E1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon fc8b0c8c8c868f7b (2 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
询价.exe
Verdict:
No threats detected
Analysis date:
2023-08-30 06:49:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5a4abe7-6dc1-4889-bb0f-71e5409ce177

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445243/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64eee44c1d3a8c6c1217e0eb/reports/2e1b11f2-bbf9-4a03-86f5-a43608d1d933/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eb6c402-4aa7-4789-ab31-0988642a90da
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300193
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1300193 Sample: #U8be2#U4ef7.exe Startdate: 30/08/2023 Architecture: WINDOWS Score: 100 34 www.lynkeechow.net 2->34 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 11 #U8be2#U4ef7.exe 3 2->11         started        signatures3 process4 signatures5 52 Tries to detect virtualization through RDTSC time measurements 11->52 14 #U8be2#U4ef7.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 28 heartfulhealingandwellness.com 15.197.142.173, 49756, 80 TANDEMUS United States 17->28 30 ourrajasthan.com 68.178.149.56, 49761, 80 AS-26496-GO-DADDY-COM-LLCUS United States 17->30 32 6 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 cscript.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 07:28:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrt24osvjurhp7uff3klkvcyswla2mx2xji4thlywud7253tjwna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1fe93bcce0611f7025ad13add45a4f37516a1e9b3f348e553fa27d184bf441c7
Formbook
244da7e5507e828266a961e3f4bd165f1b8c408463157d6c1e01bef1cf162034
Formbook
323dc9de135c89b75b7a42b2c5a6327e09acafe52c035464316e170f3f55b6ac
Formbook
69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0f
Formbook
7a4cbe6918c174321d777bd64c6cd6d8c6a3ba69c07a43ca357a691f0ef6a480
Formbook
aafd16655157dc194683021e605766a030e2d4d46462ad37b723d1f1f834bf98
Formbook
c4079f3f904aaaeda007ba7ce93f24d8a47eb749be233eaf87766e12fcada032
Formbook
d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
Formbook
d279e3202c62da190c154aaa835cffce869db3b7811c382bd8b51cd339302589
Formbook
e83d65ee23f397269dd89a621fba51c803ea65652d22679fe6e6dcdc16e798c5
Formbook
+ 419 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230830-he8mmsab99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
787c813da25b42477467fc7e802d4e4d6c22fbdb848d5269be34c41daf692801
MD5 hash:
41f468dd8c1c98647a5a0afa8fc479f3
SHA1 hash:
67f89840e6c645e4c0eab4dcfaf559b5dc5b95d0
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/63d88034-6db4-4b31-99d0-6f288c0b25b2/
Parent samples :
bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a
7439b7be3572ee86c84019ac60a182f9f183f7ce14b56a59898a9772fbddedf5
f93c2d5447563c24b8a60a7404a32155093ecf40afeb7345490bc8ba2e87cd14
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/63d88034-6db4-4b31-99d0-6f288c0b25b2/
SH256 hash:
a492759ece3c58b21298c9e45cc65cdfad878cdf3c65c431bfe5bf244bcf416a
MD5 hash:
021742c61635ad6fd37970610864799a
SHA1 hash:
ae70e013b1eafdc5edd3a5469d1b275725ad8ae6
Link:
https://www.unpac.me/results/63d88034-6db4-4b31-99d0-6f288c0b25b2/
SH256 hash:
ebaf28744bfa555219d56440db49703efd0e1757e3e219eef119725b4f0090d5
MD5 hash:
13574c506380e6ec0da25e442099b8e4
SHA1 hash:
9900c86a1bb5a605e34de9a4167aa3b93225ec33
Link:
https://www.unpac.me/results/63d88034-6db4-4b31-99d0-6f288c0b25b2/
SH256 hash:
bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a
MD5 hash:
db200e65bd875cca2fe493f3ff1832a8
SHA1 hash:
7f48d6433dcba358dcef74b4d76c62033055edee
Link:
https://www.unpac.me/results/63d88034-6db4-4b31-99d0-6f288c0b25b2/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc67ae3a554d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bc67ae3a554d2277fe852ed4b5545895960d32faba51c99d78b507fd77734d9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445243/

Comments