MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8
SHA3-384 hash: b2387710143b1780f63561be55a96e5b1e7f5f49189810727bb307b661552b63a1dcf7de1f14644b36f3a45ace14b547
SHA1 hash: d7aea6e74f48bca41050d8d9a2594a3e956f835d
MD5 hash: 457a3215ab9d572d394b18930254057f
humanhash: autumn-maine-seventeen-single
File name:INVOICE #2736.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:431'011 bytes
First seen:2023-03-20 07:24:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:OYa6QZkwqB2Yy+85iKZ8SL8JewFAT6QfReRMmGtlgztGqmX2:OYK3m2Y7pKFL8NFAT6qCCteztGqS2
Threatray 2'457 similar samples on MalwareBazaar
TLSH T1BB94E7DE02F1105FE12945B4AD59AFE02960ECB87B52C616BD40FDCEBE723E154622F2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE #2736.exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 07:32:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/559e7e43-d740-444a-9952-9ea425e1789b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375781/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Searching for synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74181/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/64180a5d3b01ade53e6f9965/reports/28e1cac5-2107-4397-8e97-7cde18f14c13/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4044f6b6-ad07-4845-a15b-50f51699cd62
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197380
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830281 Sample: INVOICE_#2736.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 4 other signatures 2->42 9 INVOICE_#2736.exe 19 2->9         started        process3 file4 26 C:\Users\user\AppData\...\wklzmcghso.exe, PE32 9->26 dropped 12 wklzmcghso.exe 9->12         started        process5 signatures6 54 Antivirus detection for dropped file 12->54 56 Multi AV Scanner detection for dropped file 12->56 58 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->58 60 Maps a DLL or memory area into another process 12->60 15 wklzmcghso.exe 12->15         started        process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 Queues an APC in another process (thread injection) 15->68 18 explorer.exe 3 6 15->18 injected process9 dnsIp10 28 www.berlinhealthweek.com 130.185.109.77, 49708, 80 XIRRADE Germany 18->28 30 www.jhg61.com 150.129.40.9, 49718, 80 TELECOM-HKHongKongTelecomGlobalDataCentreHK Hong Kong 18->30 32 5 other IPs or domains 18->32 44 System process connects to network (likely due to code injection or exploit) 18->44 22 WWAHost.exe 13 18->22         started        signatures11 process12 dnsIp13 34 www.jhg61.com 22->34 46 Tries to steal Mail credentials (via file / registry access) 22->46 48 Tries to harvest and steal browser information (history, passwords, etc) 22->48 50 Modifies the context of a thread in another process (thread injection) 22->50 52 Maps a DLL or memory area into another process 22->52 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 02:10:40 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=26f7tyjmcrishg237xoi2tozpguse7ts4ozx42wgesdp3a7yztua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4873abac800f1c2594fdf8802b84ecfbdb7e704c0d46ff5edf66f46ec7a692e7
Formbook
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
Formbook
82bb5ca075a83da9c44b1a9214aa7590bf992d8206038b4f3edd6bd8230f966d
Formbook
83e90e75eb49fccf0f69331483311ce57f89b33824fbec54e773af910da239a8
Formbook
a1f1dfe6d2c7d5010bd2d3eef64f83695307f83e12f05aa89762113fd13a9456
Formbook
afbccae6537d0602edbc99ef03ec8b89ec23df241079f949c0b8a0aa6f9aa8f0
Formbook
bedb5ef007caf41eb52f0331f1fdf5997271a828df7adb1e1132063129eba99e
Formbook
d69b13f1276594f9f10cf722a15179b0d71911a92d15a726e1bdd234a880cf92
Formbook
f3197cca74f60c552d9d3b4d04d99996ceca8c8dc6ad845a468c10c65062a0fc
Formbook
f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
Formbook
+ 2'447 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230320-h8y1ased3v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
e5dbdc01986d7a1a5febe880e0ae60c299de29fd8e1c87d38d961b0851cee236
MD5 hash:
dfa855f0b9535007843b04475c93eb8d
SHA1 hash:
0c13eae96b9684902b3e30f52b59152ec80e0941
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/37b42dc6-c156-40ea-bf28-786f67b197c6/
Parent samples :
d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8
fe7399693ffec861fff386b07855b2137ae3eb8784723a7816f78122c4c22c80
f3aa635a38f6737c7250e72a15aa596ca55d1cf31398bdcb7c5c6254cadbabf2
891145e24408acfe405ee35239c2fbea9d5b4b2855055e3d466e01ad2cb4fd68
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
4c2d0702d2d40c1da4266fcebbd7eb4b7ad82f896fa6498e435faaf90e677f20
04e338b306c1f8ae3c2025bfa779a5926f0432270792db5acb944e486c7893a5
4690616c9b7b3d211237ffb3c8d981027e6a9894ab5a27f584828b67585a9886
984d0d606afc5cd507cd73f111c4de3043a19f6815db65cf2bd70bd6257d2713
cfc12adfab410acd8090691e1b66fb468e033c5c5a5de350016b3cf133be27a8
b060f747e4aa941b42d475cf40290b6211911e1e949d8a2df0705660cd014996
SH256 hash:
90eca4b22b8fc2bdff42ed891a191fbf278b9ac8b3763bf31993395aa9c53cef
MD5 hash:
b4dfaced2d96fc64b5c7e6069770c170
SHA1 hash:
45cc7ca3d357bee2d48761165a0596a29baa346a
Link:
https://www.unpac.me/results/37b42dc6-c156-40ea-bf28-786f67b197c6/
SH256 hash:
301867c741034c0d5fab07a2db8a06eb6b74e19cf5577128c12c4cfd0bce1533
MD5 hash:
c6526ef8cf3b6c914b1d7534b0e7a209
SHA1 hash:
df4088eadde0c376d2929ab0e96db714c3a6cfef
Link:
https://www.unpac.me/results/37b42dc6-c156-40ea-bf28-786f67b197c6/
SH256 hash:
d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8
MD5 hash:
457a3215ab9d572d394b18930254057f
SHA1 hash:
d7aea6e74f48bca41050d8d9a2594a3e956f835d
Link:
https://www.unpac.me/results/37b42dc6-c156-40ea-bf28-786f67b197c6/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d78bf9e12c14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d78bf9e12c1451239b5bfddc8d4dd979a9227e72e3b37e6ac62486fd83f8cce8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/375781/

Comments