MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d
SHA3-384 hash: ad999da6c9eb6ebacfca25f617c9da43c375f6cfa66fcc2c24ebef9d23c68ba7c62fe980ee1d734ce00cc467f3c4236c
SHA1 hash: 3d2ffb801be1739263d70add078292f62b3490b9
MD5 hash: 7923c45dcf8871cb20f281986f081b55
humanhash: video-sad-minnesota-three
File name:PO#00986.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:658'432 bytes
First seen:2023-09-04 13:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:YCWJp09bewSsnk/ZFCNP8n1LrhKGZw7QOLcXo/enFp33CT9wglb9YIE:YCF9bewS6WZQPO1/hKQwf4Xg2pnCT9wf
Threatray 39 similar samples on MalwareBazaar
TLSH T170E40223BA15EFBAC43BC7F53C24954102B1EE1D6860D758ADD6B2E66C72712903DB0B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO#00986.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 13:24:00 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/73dbd1b4-9fe9-4b2e-844d-d5e1f41b5e9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446069/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Porcupine.MSIL.GenKryptik.GNGM.163014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f5da37e29c52e38dc7332a/reports/9dcb9ad6-3ce1-4854-8676-ddf338794842/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd17e0eb-f25b-45d1-858e-cc9b5c965378
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302962
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302962 Sample: PO#00986.pdf.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 8 other signatures 2->46 9 PO#00986.pdf.exe 3 2->9         started        process3 signatures4 50 Injects a PE file into a foreign processes 9->50 12 PO#00986.pdf.exe 9->12         started        process5 signatures6 52 Maps a DLL or memory area into another process 12->52 54 Queues an APC in another process (thread injection) 12->54 15 aFcozfYsFFAnRUqeIkUYxOuUPfY.exe 12->15 injected process7 process8 17 systray.exe 13 15->17         started        signatures9 32 Tries to steal Mail credentials (via file / registry access) 17->32 34 Tries to harvest and steal browser information (history, passwords, etc) 17->34 36 Deletes itself after installation 17->36 38 2 other signatures 17->38 20 explorer.exe 1 17->20 injected 24 aFcozfYsFFAnRUqeIkUYxOuUPfY.exe 17->24 injected process10 dnsIp11 26 www.cloud-force.club 92.204.55.72, 49778, 49779, 49780 GD-EMEA-DC-SXB1DE Germany 20->26 28 www.limooi.net 199.59.243.224, 49770, 80 BODIS-NJUS United States 20->28 30 www.hitbass.com 52.20.84.62, 49772, 49773, 49774 AMAZON-AESUS United States 20->30 48 System process connects to network (likely due to code injection or exploit) 20->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 04:54:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xub7eh76bynvmkfa7cik5n6bq3rdgcsolhsvj5tv73tzstwt5joq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
358659e950dae1b469fca25fb75167cae886174d21a9226fd8081fbd71d5abbc
Formbook
5765b61494d53c13cea4fa80a7aadd8bdf25d25690412ee3e809aaaca5c90924
Formbook
66e9b5aad3bc2d59cdabefdfeecff99d0e60fd9d65ae7cd60d8a8db80adf48cc
Formbook
86fe793dd78fe5b8f80d271bad4f574577222d150fa1d21517f26ac8b77193be
Formbook
93512f8df3b84088ddebeaa216201bfc2a2e9d68ded4133a9ef94fc5f154b229
Formbook
94f494962805c4cae1a0295d20db44ac8a42f4a6447a5856f17716c8f146844c
Formbook
9c8bd9485bb9039e6c2f0bb765ac58131c478b32419643405378bdbb4eb30547
Formbook
b6b2b89e880bddb6817fc3da22e4cf9a0e6f823667f8d3eb5de2e8943f745405
Formbook
d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
Formbook
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230904-qmsv6agg28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
bb10b477ad89015650fb879a8a299f5900f99c0b1bc8d414c5e89ba9057a599d
MD5 hash:
27ecf410d305c8f615094fcb61640acd
SHA1 hash:
1fb10246f6f2b91797a2673fe25132e8049d15c4
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
Parent samples :
358659e950dae1b469fca25fb75167cae886174d21a9226fd8081fbd71d5abbc
66e9b5aad3bc2d59cdabefdfeecff99d0e60fd9d65ae7cd60d8a8db80adf48cc
bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d
SH256 hash:
c9024bedf1905d56f774e65c8367956747deeff556074a82f0df0b7b8b6053cd
MD5 hash:
2b56fb4c68afa5fb71d816de12331b2e
SHA1 hash:
ef6a17fe2e2a24c5150dfebe50966acd6c855fc3
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
SH256 hash:
892761d55890a0af5517cc5da1b7b251539f9d1b5e126616def3b66b60b25f50
MD5 hash:
1381fe1ab71c80397a78422051edbd51
SHA1 hash:
e258e5a6e54f6314944e713515d22906fa4520f7
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
SH256 hash:
6f4ddc999929e87d2a54284ee311684942da40754a0d302f50d8ce39117c3bfb
MD5 hash:
41699bcb7705af6660a432b7ec14fac3
SHA1 hash:
ba07cf46d18109f62c36a439e03b067d3a48a618
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
SH256 hash:
c13221919c8d6bd493bd83a1578598d48a912d3e4d3bed82a871827c60faaadd
MD5 hash:
6a76d243c04ff79817066cdbf1763e6c
SHA1 hash:
4670f243a7342316687f1ed721371935be0be7bb
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
SH256 hash:
bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d
MD5 hash:
7923c45dcf8871cb20f281986f081b55
SHA1 hash:
3d2ffb801be1739263d70add078292f62b3490b9
Link:
https://www.unpac.me/results/1d710f44-b1d4-494b-af01-4606d22f2fec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446069/

Comments