MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2
SHA3-384 hash:	700bedbde364f7ecdc6a77005fe988040398b58f6dd31462cda447b3f619729dd2a0049fca61bf9f00223ed4c3da5445
SHA1 hash:	562b4fe3f44d4eb8c395d3f7beef759be74113be
MD5 hash:	ca02fe27b771597ebe4d3273084ba532
humanhash:	hydrogen-wisconsin-oregon-table
File name:	Transaccions DOC-REF DX739475.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	340'472 bytes
First seen:	2022-10-30 15:23:21 UTC
Last seen:	2022-10-30 17:00:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	6144:yCIo2HHRd1LeRiv2TUMiTJ+GX+YwwgnnK/x3QHN1:EHHRre0M6g+v6nK/m
TLSH	T18A749E83B6B18397D854033345A64EE8412F6E34D8917E4B2EFCB2791BF228259D3F56
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	1cbcbe3ce6a6c4c0 (2 x Formbook)
Reporter	GovCERT_CH
Tags:	exe FormBook signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-01-13T19:00:19Z
Valid to:	2025-01-12T19:00:19Z
Serial number:	-3dc8307cd174030b
Thumbprint Algorithm:	SHA256
Thumbprint:	effafedf1062124691a49d2adc86d0231d18de7341f30218b506ba689b004318
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

480

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Transaccions DOC-REF DX739475.exe

Verdict:

Malicious activity

Analysis date:

2022-10-30 15:26:29 UTC

Tags:

installer

Link:

https://app.any.run/tasks/b0198622-b56c-4811-9366-975245015b24

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326134/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.63077020.1001.27645.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the Windows subdirectories

Creating a file

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/635e9713791bb7e48afdda8b/reports/770176e0-8f71-4f36-b4bf-7eef6d80382a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9b76114b-3e8a-4502-853b-6d36c58ab3b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-24 07:33:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ytxp5yal4zcp33qfjlzyyyxauq3aok6blb2invq4brr3a4uikoza._file

Verdict:

malicious

Label(s):

formbook

cloudeye

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:pfgc discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/221030-ss2flahaar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Checks computer location settings

Loads dropped DLL

Formbook

Unpacked files

SH256 hash:

484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

MD5 hash:

960a5c48e25cf2bca332e74e11d825c9

SHA1 hash:

da35c6816ace5daf4c6c1d57b93b09a82ecdc876

Link:

https://www.unpac.me/results/48550f8e-2394-4d4e-8612-2175bf4db56f/

SH256 hash:

c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2

MD5 hash:

ca02fe27b771597ebe4d3273084ba532

SHA1 hash:

562b4fe3f44d4eb8c395d3f7beef759be74113be

Link:

https://www.unpac.me/results/48550f8e-2394-4d4e-8612-2175bf4db56f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/326134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Code Signing Certificate

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required