MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44
SHA3-384 hash:	9d4ee53fe5bc6df6cc2b774cbecbbd7e0546a398bbb72eb4ca43d19de20eb93f067e96434c707959b6226d383ab94b31
SHA1 hash:	834131c19deb14c6f857b27810973e4685b86761
MD5 hash:	913744738f2b860bd44bc49b36c289ae
humanhash:	moon-potato-uncle-golf
File name:	NEW ORDERS scan_29012023.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	797'184 bytes
First seen:	2023-09-29 07:07:32 UTC
Last seen:	2023-09-29 10:28:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:+sPw/6P5EypEx2kRGviqVAKfm3lfDnRc7EWMToEoRP7uaSwo:+sY/MmypEEkgHxofDnRc7EWLEoF7jg
Threatray	25 similar samples on MalwareBazaar
TLSH	T19005F53C21ED2A88F36596BCF3744EFF57D5796F81ABB8B7AC4CA59306A57C04502220
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451875/

Detection(s):

Win.Dropper.Malaz-9939293-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/651677d449c6a4ce497f2917/reports/b89ba09e-c85a-4444-b888-33c85ecd6978/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d7071695-a260-4fb1-9b89-910f7616650e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316215

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2023-09-29 05:50:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2xszd2upnadtqakwpye3imrxepk46erszybckns3dz2o4hh6frca._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230929-hx8elahg46/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2774ee2faeb728836a406a1c1fe7c586afee98bd2e8ed886449510d9b10f0ad0

MD5 hash:

60f18b38ce30086717491c0c6fb07bb4

SHA1 hash:

faa16dbbd107b9042369e241eae20f5e02e7f8a9

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

Parent samples :

d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2

SH256 hash:

eae295b9f95b0b618d0dae374f26e700d8b27b5a9b4c65f5872c0ba797d9a5ad

MD5 hash:

29240f36c9b7fc6f7e1792c94e62eee7

SHA1 hash:

9c13994a69dacc8f92bc5aa1d21f2c55ef5ccec6

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

6fabf7374fb08cbd1b812a1b7628fb5c1c62d9b42474c3d0c2881a889be862f6

MD5 hash:

a40ded00caa4b830b4f7e303ff5f164b

SHA1 hash:

05605b2a73a03184a705b8ba0e32e10f47c73ea0

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

6b6f0d0008346e351a105a7839d85b9aaae5b3c957c28618dcbc347c5c9db77f

MD5 hash:

fc82262057015206c59954e04996f8ac

SHA1 hash:

8650746ca799d0bc8020a5383b03b3d747ee889b

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

2dbfe72047f49684fdacc52949635e5e468a4d3e5f64a153b68fd667527a1a96

MD5 hash:

c474e646bf9b9c6aca7c4f2403cce028

SHA1 hash:

3a7a6af46d28f06b9721090856a42ac745d3174c

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

b260a0072caae73dc7fee0bab4768cf233fdb6e1437abfa97a1f1e5636800629

MD5 hash:

574fafdb51c3f2838ebd22ca71226b45

SHA1 hash:

fba610ea1362138106229b6f041382d8519f5b2a

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

26f6e9f09950e262436b146250219974b03145da77ce3a701cb77ca7c25fa460

MD5 hash:

2bfc45a58aab5a68e63637c3d5028216

SHA1 hash:

eea36227ce1b7ad70d493823515968095e44d73e

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

1954b4b87954c4181e81d2c7e5cdb3ded7c94f8b14982c9686ef67683f2a7b0d

MD5 hash:

5e9c2e15dae785668b3a78cfd75db8e5

SHA1 hash:

7e17020bfbef2245ecca684b874146371b93ed24

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

1a401265a94a3a3c6851e29c9a4bc00dc4ea7d069b2b36c1cc62b10691137c17

MD5 hash:

ef98209873cd3db5b6d4acd199247711

SHA1 hash:

461a1894c4c562983bea702aee36ea3321fb1a77

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

6a22fa2b58566bb29d05691c19fb404e58d6bbf9ffb9fb3c40cca773285ff37d

MD5 hash:

e0a668efa11c2df95a256952c5d19412

SHA1 hash:

0a20b0133d68b6a82f2de6a46843e9a8eac9363c

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

1673fd51c52dd2d4674410034ff1d0d1fc37c42531a4af92f6d027ccbb456ebf

MD5 hash:

0633f0dd5006441079e076a1aaf598df

SHA1 hash:

047b5a41477ab274d39e27ddd00741f8642510ed

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

SH256 hash:

d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44

MD5 hash:

913744738f2b860bd44bc49b36c289ae

SHA1 hash:

834131c19deb14c6f857b27810973e4685b86761

Link:

https://www.unpac.me/results/05c0e3d8-d71f-46c8-8fe0-ba9393f89c52/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d5e591ea8f68/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5e591ea8f68073801567e09b4323723d5cf1232ce0225365b1e74ee1cfe2c44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.