MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash:	bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc
SHA3-384 hash:	ad776615db7236aee2f674c541320bd716040821542471151e37742cb0f4cfa505e4f2832e41f59f12cd44844debb287
SHA1 hash:	e6666c9f89963aef18cdafb65cafac8b932027cd
MD5 hash:	1ea4b91d9c94208acdaf521d86e3bf92
humanhash:	charlie-undress-bakerloo-stream
File name:	HSBC BANK Swift (103)001708320071 pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	332'369 bytes
First seen:	2023-08-24 09:43:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep	6144:/Ya6RNz658GnV5R4eWVMhu7+vrz2VglY0sU8sDJqT8g6bK:/YT88Gnzduqzz2VgS0sUTDJqTD6bK
Threatray	1'368 similar samples on MalwareBazaar
TLSH	T1776412293570C4EBEC2657332DB9017A3EA4AE0614595B4F13A01E6D316BAA5DF0FB33
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook HSBC

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

HSBC BANK Swift (103)001708320071 pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-08-24 09:55:19 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/65c602f2-4f5e-4c47-a984-772609bf05c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444441/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230822-1135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Launching a process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/108451/overview

Behaviour

MalwareBazaar

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5caf0e1-5f91-4e76-bc0c-b0f3b609b0cb

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1296536

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-08-22 09:47:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xw2bfcno5lrrapnoj6ubxwxlxcbrdpggcj5rzda2tl6jmyr23o6a._file

Verdict:

malicious

Label(s):

formbook

Formbook

14ae647473cbf4def9becdbbb1f007fd8c96c63be5c88014415ab13e6467168f

Formbook

151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f

Formbook

68ecb3a0784bbfd4ac9f3d1c76cfc09cff02b4298839e2e1b293e9ef8833b265

Formbook

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

Formbook

959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687

Formbook

9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b

Formbook

a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f

Formbook

d0294bc11b1c8e0655189aba2ade4ffb54da6f36e2afc2ef2e0045a5a17203bf

Formbook

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

Formbook

+ 1'358 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230824-lqg6lsbe75/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

8fa8350adae9c5f771b4ca06db18a2b785486656d130709fb66d8a460a4707fb

MD5 hash:

08e7cd43df2af18b15766a607d97edaa

SHA1 hash:

7f3e0f96f12f0029dca7526e431c2b34923138c0

Link:

https://www.unpac.me/results/a93d1140-42d6-4da0-83d0-b981dc027aaf/

SH256 hash:

bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc

MD5 hash:

1ea4b91d9c94208acdaf521d86e3bf92

SHA1 hash:

e6666c9f89963aef18cdafb65cafac8b932027cd

Link:

https://www.unpac.me/results/a93d1140-42d6-4da0-83d0-b981dc027aaf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdb41289aeeae3103dae4fa81bdaebb88311bcc6127b1c8c1a9afc96623adbbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444441/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample