MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
SHA3-384 hash: 42d2b8c13eafd80befc2d5b56dc7a1e8a696a9a1c806d4e8d993c53ade85700a88ec3f9040afba99cc892d7b3c03e284
SHA1 hash: 0d6fff464505680dd3e58b360cb0b13e5c55c3de
MD5 hash: 4e96cb7f48fc8c4ac06a1cf484e85e4d
humanhash: neptune-johnny-carbon-four
File name:Inv 070324.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'640 bytes
First seen:2024-05-07 08:07:02 UTC
Last seen:2024-05-07 08:39:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:Oo6giAEfDdJ19MN8oKhKSDOM03nkRjQ5XBS7jLJHrsSU2iVDbiIXBYx9fIkR:0gRE7dJ1GRZXkNUS3LtrsSMVDbiIRG9n
Threatray 302 similar samples on MalwareBazaar
TLSH T1E4F42222774DD3A7CB3C59B81045206403F6B29A7F45E3AC6CEA61F79684FE79204AC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 08e2b0c86e36d879 (15 x AgentTesla, 2 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab.exe
Verdict:
Malicious activity
Analysis date:
2024-05-07 08:17:42 UTC
Tags:
formbook stealer spyware xloader
Link:
https://app.any.run/tasks/47f4294d-3309-4124-b594-1369cfee1eb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2822.12905.17449.UNOFFICIAL
Create hunting rule

Win.Packed.Pwsx-10029429-0
Create hunting rule

Win.Packed.Pwsx-10029430-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fab0165-fe72-4532-ad9b-3bf5c9a0595c
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437296
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437296 Sample: Inv 070324.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 57 zj7465029.free.dongfangjian.cn 2->57 59 www.toyzonetshirts.com 2->59 61 21 other IPs or domains 2->61 75 Snort IDS alert for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 11 other signatures 2->81 10 Inv 070324.exe 7 2->10         started        14 nrknGm.exe 5 2->14         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\nrknGm.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp197E.tmp, XML 10->55 dropped 83 Adds a directory exclusion to Windows Defender 10->83 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        85 Multi AV Scanner detection for dropped file 14->85 87 Machine Learning detection for dropped file 14->87 25 schtasks.exe 14->25         started        27 RegSvcs.exe 14->27         started        29 RegSvcs.exe 14->29         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 16->69 31 TkUbhWWLtULKNmkaTnU.exe 16->31 injected 71 Loading BitLocker PowerShell Module 19->71 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        process9 signatures10 97 Found direct / indirect Syscall (likely to bypass EDR) 31->97 44 setupugc.exe 13 31->44         started        process11 signatures12 89 Tries to steal Mail credentials (via file / registry access) 44->89 91 Tries to harvest and steal browser information (history, passwords, etc) 44->91 93 Modifies the context of a thread in another process (thread injection) 44->93 95 2 other signatures 44->95 47 TkUbhWWLtULKNmkaTnU.exe 44->47 injected 51 firefox.exe 44->51         started        process13 dnsIp14 63 www.seltgin.top 203.161.49.193, 49722, 49723, 49724 VNPT-AS-VNVNPTCorpVN Malaysia 47->63 65 tavernadoheroi.store 162.240.81.18, 49746, 49747, 49748 UNIFIEDLAYER-AS-1US United States 47->65 67 8 other IPs or domains 47->67 73 Found direct / indirect Syscall (likely to bypass EDR) 47->73 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-05-06 01:43:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2etxz52nwmgrncckxl32b5ehg5hwhk5gcdq2szw2fdtruqq5w6vq._file
Verdict:
malicious
Similar samples:
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
Formbook
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
Formbook
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
Formbook
+ 292 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240507-jz1m7sag56/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
91f6ad0eb4c523f9f1752408a812077c3594e21524b5bc46d53e5e262680eba0
MD5 hash:
38dd2a2d28ab19b14d1cabc20fe9db9a
SHA1 hash:
b40d9e7d467ba8a388371cebeceb4ced7f1bb1fe
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
SH256 hash:
159c5f516645cb942ac1cc9587b2386e5cc5587e12cd7bfb075d7ff556967c04
MD5 hash:
27fd78cd27e3fd909821028f54025729
SHA1 hash:
a47272086e7980938f433c8328355e53573e7cb5
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
SH256 hash:
e3b6c0bc482ffcae1b6004bc9d50359e6fa18e5f41b7ede44f8e72f42a17ad94
MD5 hash:
f3fc60703840e3fef7c328f887e74bb6
SHA1 hash:
6ca8d8083b7bede73fa23382c3ae5845f17df632
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
SH256 hash:
58d69063e7c1778b8fe306608d01b54712dbedc6865f684d2416facc208f3f23
MD5 hash:
c684019e698444faa861bd040ec4b439
SHA1 hash:
4caa1702d5ee83ea9074198adeed93269031dec9
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
SH256 hash:
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
MD5 hash:
bf426feba5a9a2f55c1a2e439b3f46c2
SHA1 hash:
4b547c42a4a14a4edac9fce0484eeff41f1ec116
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
Parent samples :
7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
049b5a9dc73afb156d98d5087d9d728287a857420b698ed12d494a2924341667
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
7cff23ba2bec8f206920f7814f67fb40698292d87b0137c9a87dac596352aa56
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
0c12ddd4730b8976410d8245aeb9f69d148afa2a1ae2a761ff82ca1744dfa207
47023bf6cf58f345002a5ced2740eb0244c02d1936123079d1ea41c427d5cf90
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
c68376bcbfd140e682ba3b0f7535af83a9653b63f090718ce028a9a65514959b
622cf81d55d81ae7200c6f7353d62f9ab64a43ba762fa1b604749d85ae2a8d07
1268ff6a657c693e5b4fa2ee3aa1ffcf3f5c0449ab5468fb430a3147314e2931
331621cd29733a7586ec0ecc51705f13433e146daeeaf2fc1848f8f5e8cb1306
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
9c88b2fbf7b78279ae5a1f6c4ea318e2d4620d1f6ce23d8f89b1bd3e50bc0f95
966f683a0580f7d052c49ebda86cb0fb3ea22199fa37698cc0e0fa7ac5a9a95f
cd04d0be3d3ffb70bda5e2dce9f0bcdd480e5209f000a91a473f8020eab0deff
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
0a750351ec2b43d2ff77cf94903bcb9a2fda69450d62eedf2fa4eebda26e07f2
377449ca71b8a9f0688ce1826a2b245cbafc8dcb56498eb6db9b5a973f5ef36d
307b6baff0d23da831efea1205facd7d4352fcd532edca732ac42322eabb6eb5
c5f5072d4434c3210c68708a250b1c62304f213c5f0447c010e55c6d4d6370d5
34f7239e0a54a95941f92fb3e1b027ee214ae6002773e917e23e58e28a754726
1b57a890251e57f1b1861cdecaa0c02ff83d438ea0cef15a677dfa0a67e7891e
ca7bfa1d520a6bdf0711c132a66bf28a10bad487ecbc225f69038ed95619dc86
5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
bcdc102d9b2ee935356e5888be20ed24f5e6916f668d1847a26630223265d197
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
6a37c6b56b588d4bb27dc42af88e95ac60bf80a0544870cf6476c423f4eec2c1
ca1dc64bb446fe0612f320105ab988ea750a7d7c9e1e0689005925dae6d3a8ee
c6e903556bc2f879377ea0e482875eb73d980edbc156419ea3bb741647e2ae04
22227fce9d09014d3fca954bf6fba7a40cdf9bcf4b8dd13f69914fab061d0dfe
83daa016494bbc800ff8e1db308b5e3dc9c0b73daaf455a579d8268b4f44f3ed
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
e7dbb76c52c158efa316bd2236902bfe1208e0742621b9652806bdc13ea3d6e0
203bacf22feee36e2d35a3846fce5db308f078942ce7ed5a16a9671f6138e46b
9db03971f027f14894036a6c0bc19fd875dad7387708a70623d1f3a8e5627958
8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
1d7754c8cc8eb7df3bd429fe9806b85f7f6fbd768ff59948a1772eace6dec77c
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
c28cff180b9334b37f4d59ec77dd36b6665e1a3e8f4625be51f9205e523750bd
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
9d4250be0e0211b67c9d2817e00441a0031156edf03e4cea333153275bb87519
9909d16ff5a6e59c3f55c3e4a8bc3c4fbe4fd56c728ffd1875ec602ec1ccd57c
8201ae4019ccfc7b3756ddfbed3f8fed7dc3f65fe47ca2d9b2ee67efc0d57e3e
c7a842c7d0b5d81693410eccebf67e1cbd0725fd1292dd695617494f47543f0f
1bc2001563ec7cb81fc1d7086b7d8bf36b285354015654b9ac2bcf051c68d2f7
403fb4a908a97f67ebabaa9d60f9fc520d3f3f44a892c8f3b9b9fe44edf59df2
4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
11434dae7da8d82c7cfdbcd435b920c3785903e41dee470bc4e191c6c87b5489
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
f4a45365e22a84bee73e3d8339ee08f2336d76bd78c3f25cf61a08e4a4085a2e
55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f
655bf2b084f93181d47b1ffb31e944da4cd4779a2ce1a17f37286b17684677f6
a26493d2e56f50c049733bc651849a42513021b26bcf8c9fbb4b71fd0b3bac54
17cb12e355a44f0aefb9ec8069817a61f409d455129feb61b489d508c0721992
561f3664b4dcc39b1eb79236231b0e36fb5fde10c8bda6d356d2fa63925f3a6b
SH256 hash:
cf050145fa252b6ab144f066840ae41af3c3eb1f11de86be3a029e4667ff1c6d
MD5 hash:
6b972168c98b6ad60536bc10889f7cb0
SHA1 hash:
308b786fe1bd36fe9889ff44631c943264838b13
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
SH256 hash:
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
MD5 hash:
4e96cb7f48fc8c4ac06a1cf484e85e4d
SHA1 hash:
0d6fff464505680dd3e58b360cb0b13e5c55c3de
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/60648e68-8f79-419c-a4a6-8693d3d4ef6c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1277cf74db3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments