MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 15
| SHA256 hash: | d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab |
|---|---|
| SHA3-384 hash: | d7047e8422451926aad55eb6bfda5221ecf72dc476469fa5a583d864a8e1b961db51ec7ef088d7882c7952bcf43ec75b |
| SHA1 hash: | ddce6774c4ccdf42545d0f1e5cc28d09b9c68522 |
| MD5 hash: | 372c41f00d904111ebf0908b83fb97b2 |
| humanhash: | oregon-golf-mirror-fillet |
| File name: | REQ Supplier Survey UkraineRussa conflict.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 269'237 bytes |
| First seen: | 2023-07-03 08:03:53 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader) |
| ssdeep | 6144:/Ya6VwPJdtxCIZ9N0319mTMEkN9xJb0nsothRRc0nBeAozhhMrPpLaaN1oFAS6:/Y3OXuu9N033mgr07JBrzrpNN1oF6 |
| Threatray | 3'099 similar samples on MalwareBazaar |
| TLSH | T1654412107EA0D4B7E42147B19D7FB3AA6FDBBE051C60831B7B101B5DBAE6242750E392 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  cocaman |
| Tags: | exe FormBook Ukraine |
Intelligence
File Origin
# of uploads :
1
# of downloads :
252
Origin country :
CHVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQ Supplier Survey UkraineRussa conflict.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-03 08:07:25 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2023-07-02 22:34:23 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 3'089 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
2388d16f2f0aa2356b18a27b4dfb7f1cf92281ce552f8b345074f3f76c765557
MD5 hash:
8464437055d3802341c759fac19a4eb0
SHA1 hash:
2a9668faa9ac1adf7c844406cc29829d35e9294f
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
3e2763c4e10e822e79c3c8890a0041a0f978cbfeb7e4a78156c9b6aabf7cb4d0
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
SH256 hash:
bdcc7e9bf098a6231d3797ada9e1879c590ad0268ed049299602a99d0f6747ff
MD5 hash:
777d8633855ca251fb9944920f0d4165
SHA1 hash:
a63f3947f9d67ae2269312a49cd1587334439269
SH256 hash:
2388d16f2f0aa2356b18a27b4dfb7f1cf92281ce552f8b345074f3f76c765557
MD5 hash:
8464437055d3802341c759fac19a4eb0
SHA1 hash:
2a9668faa9ac1adf7c844406cc29829d35e9294f
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
3e2763c4e10e822e79c3c8890a0041a0f978cbfeb7e4a78156c9b6aabf7cb4d0
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
SH256 hash:
9a5f71aa947c26f87c1e40d67b976f1c720f9bb9b01538147311a21dbec5bd36
MD5 hash:
b0df0927a5b680ec219d1596234256cb
SHA1 hash:
47bf58ba173bdf358da0de3bc84e09037c81ec79
SH256 hash:
bdcc7e9bf098a6231d3797ada9e1879c590ad0268ed049299602a99d0f6747ff
MD5 hash:
777d8633855ca251fb9944920f0d4165
SHA1 hash:
a63f3947f9d67ae2269312a49cd1587334439269
SH256 hash:
9a5f71aa947c26f87c1e40d67b976f1c720f9bb9b01538147311a21dbec5bd36
MD5 hash:
b0df0927a5b680ec219d1596234256cb
SHA1 hash:
47bf58ba173bdf358da0de3bc84e09037c81ec79
SH256 hash:
2388d16f2f0aa2356b18a27b4dfb7f1cf92281ce552f8b345074f3f76c765557
MD5 hash:
8464437055d3802341c759fac19a4eb0
SHA1 hash:
2a9668faa9ac1adf7c844406cc29829d35e9294f
Detections:
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
win_formbook_w0
win_formbook_auto
win_formbook_g0
Parent samples :
3e2763c4e10e822e79c3c8890a0041a0f978cbfeb7e4a78156c9b6aabf7cb4d0
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
e9b8ae3066f5fac9d17f0fe8c64f2c086fd69bf15e87843c457b7bd66cd2377b
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
bb9a1bfefff16c8720092c4a5b23549b88ee1bde733dacdf082e226d41b2cc5a
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
6ef2063e8207f9c58067966a90ec7bfbcc6c31b3df611fcb8bf88cf531e579d0
e4268cb757dab357988c8891f77ac727af8c27acb4668d9361237a5df26e9b69
b67aa8dfe6ff4cd4478be74edc93000fa290ac31c7f869c8191220ef40239f87
68ddd295e62084245133f0faa9600fa47b984826ef10ca6b724614a5bfa13366
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
SH256 hash:
bdcc7e9bf098a6231d3797ada9e1879c590ad0268ed049299602a99d0f6747ff
MD5 hash:
777d8633855ca251fb9944920f0d4165
SHA1 hash:
a63f3947f9d67ae2269312a49cd1587334439269
SH256 hash:
9a5f71aa947c26f87c1e40d67b976f1c720f9bb9b01538147311a21dbec5bd36
MD5 hash:
b0df0927a5b680ec219d1596234256cb
SHA1 hash:
47bf58ba173bdf358da0de3bc84e09037c81ec79
SH256 hash:
d77523803125e052acea94494e7a44be5ff7a5bb79b5de28b52e46c0f0f2f0ab
MD5 hash:
372c41f00d904111ebf0908b83fb97b2
SHA1 hash:
ddce6774c4ccdf42545d0f1e5cc28d09b9c68522
Malware family:
XLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.