MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824
SHA3-384 hash: d9417c344dd8a029db73d6a25c88f8be9fb29033e52b99ca31fbbdb5d633f6bb4a0185af7926e5b3355c38362de2890f
SHA1 hash: 13970779bc95dd6e84dd905b6552f68eea9e5bb0
MD5 hash: d814d6b2b68825eb6ea6122617841df2
humanhash: kansas-stream-delta-island
File name:payslip-10-14.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:122'880 bytes
First seen:2022-10-15 10:09:23 UTC
Last seen:2022-10-16 07:17:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:Ed7hY72rOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/9n/87gUHCzQgtn9LXCk9aPG:SG5FJ
TLSH T13FC321827145DCDAD45328F258AED57060B47ECF8165CA0D3B83BF2A94E734234A7B9E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320573/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/634a86fca67b0a5ed57a15a2/reports/7fac92c5-25c4-4b1f-8216-0d82e478d2fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a35355fb-db04-41c7-b4b9-80ec7d0d975b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1091176
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 04:39:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zat4jtgesfhjg4bg53tvskmbppits53xpeans6quqncyfrk6rasa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221015-l7cx8afea2/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91e16198-5745-42b7-a069-535492038960
Unpacked files
SH256 hash:
c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824
MD5 hash:
d814d6b2b68825eb6ea6122617841df2
SHA1 hash:
13970779bc95dd6e84dd905b6552f68eea9e5bb0
Link:
https://www.unpac.me/results/9d21a93c-1ebb-4191-b1e6-fdd7f720a283/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c827c4ccc491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a

Formbook

Executable exe c827c4ccc4914e937026eee75929817bd13977777900d97a14834582c55e8824

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a379689538197079d55983bc9c34f94d83f71675c4bee189a98bd8808170453a
Cape
Cape
https://www.capesandbox.com/analysis/320573/
  
Dropped by
MD5 8fef6a131d294080f4859598a07d239f

Comments