MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
SHA3-384 hash: 993cb7766a67502d83628b6fa5bc1e83a1b61e3165715f71da031ba4716eabab559aeb30a07d07aaf2014cff9e37b378
SHA1 hash: c086874b0464e05ab673eb3fd25a9daf127a9306
MD5 hash: 00cba5ac38a2be211a6d16f642c794c8
humanhash: william-carbon-enemy-failed
File name:Transferencia.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:737'280 bytes
First seen:2024-05-31 07:50:10 UTC
Last seen:2024-05-31 08:30:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:DRhDhagHCN1Kf+51OW0KikYVKSCEAcfDw1VFx6Jiki8R5UHDqrNKwl3Leh:FhDhagq1m+5orZK/EAADw1x6JJGjuL3w
TLSH T150F4125136746F63E87983F90675AC8443FA7D427222E2C80DDA30EB1AE5F524741EBB
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 0030717171717800 (6 x AgentTesla, 3 x Formbook, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Rv_ Transferencia.zip
Verdict:
Malicious activity
Analysis date:
2024-05-30 15:02:40 UTC
Tags:
formbook stealer spyware
Link:
https://app.any.run/tasks/ed32c528-03a3-4edf-823d-c29377587177

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.38977.11668.21203.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66598a3e20ad30d287677896win7simulatehigh_evasion
Tags:
Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6659816969b20f1c4ea4118b/reports/0d5e40b8-8aeb-4d07-ae63-33c6dc047fe9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/417ecabe-07f9-43fc-92df-cb0f1edf9cef
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1450054
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1450054 Sample: Transferencia.exe Startdate: 31/05/2024 Architecture: WINDOWS Score: 100 28 www.uqdr.cn 2->28 30 www.theppelin.online 2->30 32 20 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 10 Transferencia.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 Transferencia.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 JgCtECCYhFGQfsqHLWYVtbmO.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 TSTheme.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 JgCtECCYhFGQfsqHLWYVtbmO.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.getmall.online 203.161.43.228, 49776, 49777, 49778 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.shengniu.com 152.32.189.143, 49796, 49797, 49798 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 22->36 38 10 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-05-30 13:29:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cteznusnbe4f33qmlfxja22qsplklawzth7lwheutci72fuxsva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240531-jptf5sce95/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f44b6d0d-09a9-4126-98d8-baf7cf79bde0
Unpacked files
SH256 hash:
c0e246e6291aefdcf8cdcbb21b2e58c8ee7d73d673036fd61fec22115c7ef997
MD5 hash:
5e6d96ec845915bf8dce30ee86403db0
SHA1 hash:
fcac493df8453d7a7be48104476c511a4ce89e46
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
Parent samples :
d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
4c7e553411c390511f61ab68183eaf5b5857a32eca4c46eeaca75069ad8022ea
SH256 hash:
6215c4f3fc7666f2a5757e6779864a884d7d698bb02594e4c8456f84daf6bb5e
MD5 hash:
cfe7e26312cf4ce9c4c628a290b6a55a
SHA1 hash:
71216d923775f21b2ee26913d1098fc035eb0b77
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
1feba65bd2aa62dc3cad4b386b25e5a5922cfaaa4f0c1aecff536bf10f54dc12
MD5 hash:
21ca6aa79257797cfcf81faf284a9f89
SHA1 hash:
bb55c21f04bd9a0d6fbd40f7129ec68344bd524e
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
25b5214317428b6661d063585c9de0ceb173e0cbf529069873599ac09f179ae9
MD5 hash:
a09ba49a164d02715cea9498b85dadb3
SHA1 hash:
5cb0c737d9fb738c36ca64082b53cd2d816b6e8b
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
Parent samples :
6379fc2cce3608db3ed95f85abf8e7391890b839c151224cca1dfc64c545b4d1
655a38b1686aa4f75f6dd4f2b59c8e9e09cde9997b46bafbe4e3dee38d859c99
SH256 hash:
2fd648945ba6fa919af3e748373115017a80ae1807b94b9115ca3bced2ac1471
MD5 hash:
b8928dc1783cc0679ace2bc58668f049
SHA1 hash:
325b8f3eba33ded6f89d5efe6896991a5324d447
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
b6be9a8c80cb6e5f8f00ed7eba09437138b08ca40a9d7b1f0efa8088c98ce632
MD5 hash:
9b4365bd6bacdc01eec2363724ffb58a
SHA1 hash:
ff233631accfe83d014268ffb5d70910d048caaf
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
c9b818ac81f41ba2f64c481f0b0deb6ebc03c714f556d28c9915992cef7add95
MD5 hash:
28924178b8fcac6ed0fe9038eb158bda
SHA1 hash:
ee55ef8022ddbb0d5ab80445342eae3f05d59132
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
bb3ec318aab390bae26622481ce8d18b4191d26c88085d546a26d4d5263d67a0
MD5 hash:
113d04fd4318e36817890dee67e532c0
SHA1 hash:
e31f22e18743be94337196573adb8ee9fcf537d9
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
b4acbe94504680e5ac0a536aab0123d43091115015787bb2a8ae21d50d02a770
MD5 hash:
cf037fe9f7ec42fe0f9d2d29c52a847b
SHA1 hash:
a4549d4c01a372b873694737a4927d140729aeac
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
eeb1cb9f72390be1caa68cb0c96d2322828b9d07898e6bc9253a166884d3d17e
MD5 hash:
4597258ddcb804a2e93392411849ea4f
SHA1 hash:
8a9d67e202f50dcef9b98c7bd628a1215b241c58
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
a424fd410bb3298d829a3a730c8f6747c510464458c5137f626166de5262ea87
MD5 hash:
53bbb09470e01ac40af97a7efce611f5
SHA1 hash:
504957025d93f093bf541ad0f61cc5457ae844cb
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
SH256 hash:
d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa
MD5 hash:
00cba5ac38a2be211a6d16f642c794c8
SHA1 hash:
c086874b0464e05ab673eb3fd25a9daf127a9306
Link:
https://www.unpac.me/results/e5b697fd-64a4-4402-8c37-7cbdae077603/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/d8a64cb6926849c2ef7062cb74835a849eb52c16cccff5d8e4a4c48fe8b4bcaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments