MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed
SHA3-384 hash: 737d4f93ff39a74dbb9ff79da42bf5a203f41e248ab14394b35a6b72d7b44c323862c6a12dae28e72d6c729689d505a2
SHA1 hash: beda7ba39b0ae594128980f8291d0f3a7af6c051
MD5 hash: 57d8b89de496140836fb236850f1f5c6
humanhash: freddie-high-carpet-fanta
File name:FACTURA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:916'992 bytes
First seen:2023-07-19 06:28:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1hes/MhIaQkESIQaNdgGmB+XOi4cP7V+RpbZzjZk:veZrzpIQasGs+XC87SBZz+
Threatray 3'245 similar samples on MalwareBazaar
TLSH T10A15B0A532DAD129EFF29F39C0D40104A5B1FC93F88A6E2571BA734616B7F814533B92
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c4c8e8e8e8e8e4c4 (1 x AgentTesla, 1 x Formbook, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 06:33:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c409e86-6c21-4cb0-8303-58af181407b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424491/
Detection(s):
SecuriteInfo.com.Variant.Lazy.362694.4597.25971.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b782b287b3dbad8aad2069/reports/144d05b1-3e02-4fd1-8659-3692e937033d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d661789-08f8-4be9-9663-9a632b977a88
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275721
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Copy file to startup via Powershell
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275721 Sample: FACTURA.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 4 other signatures 2->38 8 FACTURA.exe 3 2->8         started        process3 file4 28 C:\Users\user\AppData\...\FACTURA.exe.log, ASCII 8->28 dropped 40 Bypasses PowerShell execution policy 8->40 12 powershell.exe 13 8->12         started        16 FACTURA.exe 8->16         started        signatures5 process6 file7 30 C:\Users\user\AppData\...\anydesk.exe.exe, PE32 12->30 dropped 42 Drops PE files to the startup folder 12->42 44 Powershell drops PE file 12->44 18 conhost.exe 12->18         started        46 Maps a DLL or memory area into another process 16->46 48 Queues an APC in another process (thread injection) 16->48 20 anydesk.exe.exe 16->20         started        signatures8 process9 process10 22 WerFault.exe 4 10 20->22         started        24 WerFault.exe 20->24         started        26 mstsc.exe 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 05:18:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybved6gme3vfyesy33gjvqd7eaklfetgwsr2pqgxda63y4dp73wq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bdde3cb5bc10aa2aa88e00599e59b6ebfb1ce24fe78dc2871ba3c8118f61c91
Formbook
19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
Formbook
20fa6136a8a585a8f30110a5dd5fa9d8b2f9a2ee0eff590a721656eb44eceea0
Formbook
2beabdd285adf915fc07418c5f9e57cc4430f766b838e1726570c21af4868f18
Formbook
2cd9e8fc5b73c35422b79574233937370a03f6714ba9e813da80ac2974b4cf91
Formbook
455479a2d31bd901fdff62e67ec93e40f80e5956384e93e5030132d4a490501f
Formbook
7997a727f9b2d2bba8f6a846dda7f4640c5b3d1d31db85deb0ef1c4ff05574a4
Formbook
7db4eb09d5e3b7b8cb37539295da0190b1c1416898804b297e1bc7b5f5eff9e8
Formbook
80802d7e4597b03c737d2baa9bb2cb2a400f2c0546218cfa505d408ec5d99b15
Formbook
+ 3'235 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230719-g8xa2aha6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Unpacked files
SH256 hash:
8c2ca57a8a7420ea209eff1e6bfb7d96584493e0b23865b5438d473baae24239
MD5 hash:
ab622cf39eabb58381aecbda245d8233
SHA1 hash:
a154e6ca9e5ef486b4ea5d3794986316af5207e5
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0180594b-98bd-4c07-a2a9-e3e54f48cc21/
Parent samples :
20fa6136a8a585a8f30110a5dd5fa9d8b2f9a2ee0eff590a721656eb44eceea0
2beabdd285adf915fc07418c5f9e57cc4430f766b838e1726570c21af4868f18
c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed
4ad51ee71da26867904c568a85bd257a3ebe2afdb5d1a4b6c7746c19b1743173
de16643e51e2e6e72c03e394fc0744beea0b1c480b138e2d687783a7da4d12e0
bd34a0f8b26f8e2715969b34a236ef365637ef80baff9d9781348e631b3406ec
SH256 hash:
b5084dddef652fcad599c2e52e71b8caf2420ecde2ce5c903848e21b0a531493
MD5 hash:
7e2f175c59b3ec03712cdf56c71ac58e
SHA1 hash:
45e8da5f9007525f31ff523761ae4502488a29ab
Link:
https://www.unpac.me/results/0180594b-98bd-4c07-a2a9-e3e54f48cc21/
SH256 hash:
c275f7956479c72a8a7ac2ef93b1d0f741d9d03fe34f9ac4ed51c487657c4b74
MD5 hash:
c3fe6265a46772b5137d47de594e0ef9
SHA1 hash:
25536e915ca2e76da7c35dec7a176132533f336d
Link:
https://www.unpac.me/results/0180594b-98bd-4c07-a2a9-e3e54f48cc21/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/0180594b-98bd-4c07-a2a9-e3e54f48cc21/
SH256 hash:
c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed
MD5 hash:
57d8b89de496140836fb236850f1f5c6
SHA1 hash:
beda7ba39b0ae594128980f8291d0f3a7af6c051
Link:
https://www.unpac.me/results/0180594b-98bd-4c07-a2a9-e3e54f48cc21/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c06a41f8cc26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c06a41f8cc26ea5c1258decc9ac07f2014b29266b4a3a7c0d7183dbc706ffeed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/424491/

Comments