MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465
SHA3-384 hash: f24c4f6188ca05f86a7a55edead2a2526c3e535d5c72080da3fb8217bc10a928aa1aa929c5bc4d16fab279fbdd6f0f93
SHA1 hash: fdd29f9172fa93d54f4a3bfa68c3254956e96a12
MD5 hash: 468b124b8e0ca7cc8f952c923ccd5ae7
humanhash: equal-equal-stream-cardinal
File name:E-mail z 30.05.2023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:874'496 bytes
First seen:2023-06-13 11:42:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:X8U/mozQ0AQjccIvQyjUpJC3Q3mBnJPyK:8A32yK
Threatray 1 similar samples on MalwareBazaar
TLSH T1AE05A3807054E520E99C32F65C39D4D0136ABF6A2C00D346B8F9BBEE6C75617CE9726E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E-mail z 30.05.2023.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 11:43:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c413df2a-cfbf-4d93-ac5a-7f196f5a5633

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398250/
Detection(s):
SecuriteInfo.com.Win64.WormX-gen.22817.29504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a file
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6488564708b287b7595b6e68/reports/44aad8c3-9591-4d85-afb5-dde757b0c1d8/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.AAK trojan
Link:
https://www.hybrid-analysis.com/sample/c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dc3c5bae-eb37-4a63-be7e-9a89fcd46c5f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253577
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 06:17:39 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
14
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yi66eeiradgjdcrycaoulffxtf32vkohxzpfrxrwvrq254rgyrsq._file
Verdict:
malicious
Similar samples:
2951ba641cb9cf539b45973fb7d178aaa0b511812b4e84f42dd998cbd8363e2c
Formbook
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230613-nvkhmsga25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465
MD5 hash:
468b124b8e0ca7cc8f952c923ccd5ae7
SHA1 hash:
fdd29f9172fa93d54f4a3bfa68c3254956e96a12
Link:
https://www.unpac.me/results/d914a042-15d5-4280-beb1-296f53b7a399/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c23de2111100/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c23de2111100cc918a38101d4594b79977aaa9c7be5e58de36ac61aef226c465

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398250/

Comments