MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3
SHA3-384 hash: 238c72ba4f4e6dee138decddc4fda63f855b065beb107aa76083770d4c36b901f86b3ac6661cf3fabb623bbda09edce4
SHA1 hash: 458b0cd96d44a80428b9e2bf5990514f3d0e203d
MD5 hash: f433cc39f97f83dabd0ff4db9c78cfb4
humanhash: uncle-harry-comet-stairway
File name:MUESTRA DE ORDEN DE COMPRA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:838'144 bytes
First seen:2022-10-25 07:14:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:LQIfcPaPBj2nvOu3y82qFvX1BalA+FSxt599h9bWd4pH3iKjZFC6fd1SabEh:LQIfcPaPBGtHbX1UhFajhMqSoPC6d7
Threatray 15'288 similar samples on MalwareBazaar
TLSH T1AA05BF0AFAE6CF51D3480773D9E39A046BF5C5C6A222F76B2680E7F51E233618542DE1
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
MUESTRA DE ORDEN DE COMPRA.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 07:18:06 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/28d4e19c-5e92-4911-b2aa-05ffb688af62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323825/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42ec7a1d-e7bf-4c16-85f3-bd0936a2475f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097310
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729970 Sample: MUESTRA DE ORDEN DE COMPRA.exe Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 56 www.thaicomfortfood.com 2->56 58 ghs.googlehosted.com 2->58 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 12 other signatures 2->76 11 MUESTRA DE ORDEN DE COMPRA.exe 7 2->11         started        15 pBBqmCzAGjd.exe 5 2->15         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\pBBqmCzAGjd.exe, PE32 11->48 dropped 50 C:\Users\...\pBBqmCzAGjd.exe:Zone.Identifier, ASCII 11->50 dropped 52 C:\Users\user\AppData\Local\...\tmpB88D.tmp, XML 11->52 dropped 54 C:\...\MUESTRA DE ORDEN DE COMPRA.exe.log, ASCII 11->54 dropped 84 Adds a directory exclusion to Windows Defender 11->84 17 RegSvcs.exe 11->17         started        20 RegSvcs.exe 11->20         started        22 powershell.exe 21 11->22         started        24 schtasks.exe 1 11->24         started        86 Multi AV Scanner detection for dropped file 15->86 88 Machine Learning detection for dropped file 15->88 90 Writes to foreign memory regions 15->90 92 Injects a PE file into a foreign processes 15->92 26 RegSvcs.exe 15->26         started        28 schtasks.exe 1 15->28         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 17->60 62 Maps a DLL or memory area into another process 17->62 64 Sample uses process hollowing technique 17->64 66 Queues an APC in another process (thread injection) 17->66 30 explorer.exe 17->30 injected 68 Tries to detect virtualization through RDTSC time measurements 20->68 33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 conhost.exe 28->37         started        process9 signatures10 94 Uses ipconfig to lookup or modify the Windows network settings 30->94 39 svchost.exe 30->39         started        42 ipconfig.exe 30->42         started        process11 signatures12 78 Modifies the context of a thread in another process (thread injection) 39->78 80 Maps a DLL or memory area into another process 39->80 82 Tries to detect virtualization through RDTSC time measurements 39->82 44 cmd.exe 1 39->44         started        process13 process14 46 conhost.exe 44->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 16:33:15 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2xjou6t7y3vwcqmihevmvw7bpfedvtrbf6zr2yv7l43aqczz6rq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a92b6b6c9ccba573ca47718bf608715dbc87ad48afc19bf7004d8eb9bf598d0
Formbook
371982ab20054b57f6cd8698e9f64498c7a857b412d370febbf44d8cbe7f2285
Formbook
401d8ede073c42e3cb7c03934bbbb8b1ace7ae84c88098a680c6cefbaab26cdf
Formbook
637f702a6f06a32c6b1794df68ccf1e7f29a2aa38b468b296816ba9010606a1a
Formbook
64ac613672e24621e590d79800c1028624f90cd6edbab8b64c9608c17497e8bb
Formbook
736808fef49ea666d160c9943b624f0ad79c3d10c44b8042a602d8a31d2465a3
Formbook
8ba89f4cd9f76d5ec870673db35849d80c7bb2a46614bb4e7a8fd2e951846c11
Formbook
dba99585218765f78dddf353fa0bc8cda522649bb25e13d71dfcd316e5d7c3f1
Formbook
+ 15'278 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:de19 rat spyware stealer trojan
Link:
https://tria.ge/reports/221025-h29hfsbha5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
75fdcb0a5d57c9775d132096cc4ebdcb199a1b2c62627bd8954a3172eb71cf07
MD5 hash:
4a5573e5995b326833f51feebd295564
SHA1 hash:
fb79d68666810912ddde6621292c05b7bc696d86
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
Parent samples :
79e04a99e2c53eaa98af95fd0a86bddf3cc4b0f62c385cfdfa5662738007fdd1
29589889f6cdc96df65d2105fe659fdc2edfae9f7836e4473cc489f632c97a90
036ec4fbb63586161e9b40abef1ed5549639eb0bcb4092a1196f0dffa65a7a43
cb68859e3e976870a550cc5b49b0ab0f4f07870e26ca45cff21359e71f0444df
cbaab74c7babdfbadf51792aa697c1b752d0b7eb1a1f06a95ba81e6b3e911b01
eb065bd048ee76029258e2858797bf9a51f0cac0f523d4a737f38e11c6e33cf4
c5d68dca5627d6e9f0f6778142045fc137277f94e4fad6ed2da4e61efffd5685
ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3
0a8b952a910a7278793ed7f7373b628afe07138aedde676453482806b2ea7b0b
b1a04015ced59584115a625dd19ee394005f911b108864b0bd834163d9c35181
SH256 hash:
a873bad40a489abd0bc80ad12b904cd7da2dbaef196d7960c0423795d01fad99
MD5 hash:
0e266b4db284b042012c2f3675b9a2f7
SHA1 hash:
e7a4688ee6c5a8937876e2bee0c05884d04f964f
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
SH256 hash:
23d78947c49bdec9d727a1983e749e4f0bac789ba6ca1e881123637180c97b4e
MD5 hash:
b4f2af85e5a564283faba090db73ea15
SHA1 hash:
8536176c201821cc959daa7a9965986f47a70f6f
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
SH256 hash:
3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb
MD5 hash:
16d6f358cc62b12dc869da8a59b03eda
SHA1 hash:
5eaf3662fbd4193086df2ba7233e9652542be8a3
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
SH256 hash:
ed7e56fc5c8c4139f53bd6b805847e37a0552a3b89617a3460dcd223d71c0b8d
MD5 hash:
138f07a76baa5fcb776022087bfde9d3
SHA1 hash:
342a496454a341faf56773042a8c189dfbd33412
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
SH256 hash:
ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3
MD5 hash:
f433cc39f97f83dabd0ff4db9c78cfb4
SHA1 hash:
458b0cd96d44a80428b9e2bf5990514f3d0e203d
Link:
https://www.unpac.me/results/83d17ae7-1d1c-4a53-9a8c-e61ccb409d84/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ceae9753d3fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ceae9753d3fe375b0a0c41c95656df0bca41d671097d98eb15faf9b04059cfa3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323825/

Comments