MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
SHA3-384 hash: 997cfd91cde1cbe244967d7131c6190450c6f672236d5347c9bf5e8317023f19fd9cd33c393cdf77ddf1b17e9bb4bc38
SHA1 hash: 518ab3f9d699d1cb2542815a5d7a6952694efd73
MD5 hash: 9e87d445570c67c4e324e3d600f9d466
humanhash: uniform-double-grey-paris
File name:INQUIRY NO. 217166.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:295'240 bytes
First seen:2023-05-31 06:01:24 UTC
Last seen:2023-05-31 06:34:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:JYa6eSavKVmaw16Um4WKOrDE8l4X7bppsIk1BPpIx++OyLfpR+T5z:JYIS1umNKO/XGX3ppsTBRIh7pR2Z
Threatray 2'989 similar samples on MalwareBazaar
TLSH T19154120866D6E463E9B001712CB98713AED67D2918F5930FB364261FBA33796C90F735
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INQUIRY NO. 217166.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 06:02:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/105e1e0e-a1f0-4478-b5ab-ca9ac78ec918

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393816/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67303570.24187.1091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88763/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6476e2db015beb7a3b05de0a/reports/5d3431e0-4e4c-4568-b34b-730a363fef05/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/118c6642-da88-490d-80c4-a036eabfe0e9
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245782
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 08:55:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2uke3f2azsj6wm3qluy74vpjyvzua2pkl4mdqnj57n3vg7m5yja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31d4fa7c04a77660000eeecf8f66e38d6108f460ea7b539744d7bf9216266a50
Formbook
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
Formbook
4641b42cd821fb6e718c5dd437dc8fc32e2aceb188d863a45937abfb6c5ce5f2
Formbook
7a30b05b90cc46a65e1122c29ed405db741c416efec4d68ae798ec29a8362422
Formbook
85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
Formbook
8b121695caf28d91f455521122dbbd237de7839a583d812a4d8685b842cd70a8
Formbook
9afc074ebc658630115d98a5ad12f30a53509d43183cf855489be266890225e5
Formbook
b5b596f70279f40da033a19eb80841b5486fb16d9d44c2778cc158910adde7a1
Formbook
bee95f90676280bca3212cc77b2dbd497f590cd560ce3005f2998fa324698427
Formbook
c600d764532a73a55f4eca84c27637dab39b4d47b06b13c71a691cafffbe7aba
Formbook
+ 2'979 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230531-grfxqadb82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
50d375d039b81b3f2abc9da7d866ada6d600ffc58274413ec1a4573439eb2e3a
MD5 hash:
9dd289bc345e6e01c6f0e69bcdd1ef3e
SHA1 hash:
11d7773861e887c09961f9e9632200ccc73baf28
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/0a9edb3c-cc76-49c4-a53e-c96ee243d95c/
Parent samples :
d02ef9df3bc1af2c02ad5a9904ea604a55a6a93b5e08ca518232b96fec13882f
c9a39c36b0fb495bd816ac4b750f8078b6ecd3d2d96c651b82dc92f3d2689ac5
38e090d8747dd1332c68563c5f8204876d297ecfeb0a25da3282c57579cef3fa
c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
SH256 hash:
cc05c5a52e169abc5033c80c5c5c9b4bb3ceb451ee3afe816e17c8fe00e28d24
MD5 hash:
ea74c2e435710fe5727e02b97d578468
SHA1 hash:
d635ea803de96e5ea4d4d9e70427e2c4e9ff3a14
Link:
https://www.unpac.me/results/0a9edb3c-cc76-49c4-a53e-c96ee243d95c/
SH256 hash:
eaab5e00b81bedb8726e24a8e0b96d1cd3b1913fc187097b4d59d341e286d5c5
MD5 hash:
5d6791b907eba7ed8adea69165651209
SHA1 hash:
2d9255b2309a2b41add36e71977aa3d8d4012e46
Link:
https://www.unpac.me/results/0a9edb3c-cc76-49c4-a53e-c96ee243d95c/
SH256 hash:
c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12
MD5 hash:
9e87d445570c67c4e324e3d600f9d466
SHA1 hash:
518ab3f9d699d1cb2542815a5d7a6952694efd73
Link:
https://www.unpac.me/results/0a9edb3c-cc76-49c4-a53e-c96ee243d95c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6a8a26cba06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c6a8a26cba06649f599b82e98ff2af4e2b9a034f52f8c1c1a9efdbba9becee12

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393816/

Comments