MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
SHA3-384 hash: 06c738eebe37b748784320b8205042dd6169e4793da5fbbf0582f4c74e29110952acae8a6754029f297b29d6993f0459
SHA1 hash: 526c9a0add15b724cc5af4cade31b029c0c92e56
MD5 hash: 8f375217380183e090681f1dc8eba0e8
humanhash: music-juliet-ceiling-carpet
File name:PO-10152023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'201'664 bytes
First seen:2023-06-15 06:46:41 UTC
Last seen:2023-06-19 07:42:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7EDE/61/dURk9qXpA11+mf2MrcUBijMruJKLm7umSvblHnuEK04:sq0URJiQmaUB8JKy3STlHu
TLSH T1F445D43D9CBD5237A674C6A6CF94B866F094D3B731122C39A8D35285462BD4B3AC313E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
6
# of downloads :
259
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO-10152023.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 06:47:50 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/16888b33-2f97-4ca5-8528-df1fc4ff2c1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399040/
Detection(s):
SecuriteInfo.com.Trojan.GenericFCA.Agent.95937.13822.27885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed quasar
Link:
https://www.filescan.io/uploads/648ab3e890acee489f78df43/reports/1383304a-dfdb-4ae5-8bdd-101c9e195829/overview
Verdict:
Malicious
Labled as:
Trojan.GenericFCA.Agent
Link:
https://www.hybrid-analysis.com/sample/dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6ed6e41-497a-4622-aaf3-7ede33808bf6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255062
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 888082 Sample: PO-10152023.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 57 www.187597.com 2->57 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 7 other signatures 2->79 11 PO-10152023.exe 7 2->11         started        15 gvvgziabpIdvO.exe 5 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\gvvgziabpIdvO.exe, PE32 11->49 dropped 51 C:\...\gvvgziabpIdvO.exe:Zone.Identifier, ASCII 11->51 dropped 53 C:\Users\user\AppData\Local\...\tmpC2E1.tmp, XML 11->53 dropped 55 C:\Users\user\AppData\...\PO-10152023.exe.log, ASCII 11->55 dropped 87 Uses schtasks.exe or at.exe to add and modify task schedules 11->87 89 Adds a directory exclusion to Windows Defender 11->89 91 Tries to detect virtualization through RDTSC time measurements 11->91 17 PO-10152023.exe 11->17         started        20 powershell.exe 21 11->20         started        22 schtasks.exe 1 11->22         started        93 Multi AV Scanner detection for dropped file 15->93 95 Machine Learning detection for dropped file 15->95 97 Injects a PE file into a foreign processes 15->97 24 gvvgziabpIdvO.exe 15->24         started        26 schtasks.exe 1 15->26         started        28 gvvgziabpIdvO.exe 15->28         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 17->65 67 Maps a DLL or memory area into another process 17->67 69 Sample uses process hollowing technique 17->69 71 Queues an APC in another process (thread injection) 17->71 30 explorer.exe 2 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 59 www.dtripofjava.com 30->59 61 www.bennettpublicationsllc.com 30->61 63 bennettpublicationsllc.com 34.102.136.180, 49697, 80 GOOGLEUS United States 30->63 99 System process connects to network (likely due to code injection or exploit) 30->99 40 raserver.exe 30->40         started        43 cmd.exe 30->43         started        signatures11 process12 signatures13 81 Modifies the context of a thread in another process (thread injection) 40->81 83 Maps a DLL or memory area into another process 40->83 85 Tries to detect virtualization through RDTSC time measurements 40->85 45 cmd.exe 1 40->45         started        process14 process15 47 conhost.exe 45->47         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 19:46:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qi5jeervv2fpziikkchhb237d45dx24w3juviegcuuvuzobwpkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ga94 rat spyware stealer trojan
Link:
https://tria.ge/reports/230615-hj7k5seh98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
8a1b54ab3a392d98de6b6cb345fa72b10b464662f008e2b1918a63e0ea2f1762
MD5 hash:
68b3754d1f53e86ef68665ecc2c35b03
SHA1 hash:
2bfd9ff3d6c6c036fdbc32e302fe5e1481199fea
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
Parent samples :
dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
3f5edf6f921e14f2640763e7178c2646a2131df0f8f447ae59100f3110939d9d
ec879f20532ad2763f5b921c58e0231e542ae4f7d488aadf0fdddbaf14fa3569
bda1a08d1c632950d8a4980f501b78336a1f0602919365d40c62b3d2877041b4
e0c2c4bd14c2479caf4f2d906935363ad946f4605e8031638d2c1fdbf15eab06
e57feb419a6737804816cd7418cb5baf7b9807f6b937898ed5bdf52f2cbc6135
6674ae23434aed95bd6623c3c118f05f7d7d086201f31e29483c5525a7b475e5
9a18a413786aea5dd8b45003ba6510f2c1735d9c0d8f28e19bbcd5da17dffc3d
d0822780e14edb57b8f46ebf39b402b90b12b4a9ee7a5537412302815982351a
SH256 hash:
d014a46c39ee21941ec9d36ffcbf699d3be59174dde7bce989724c4608b6be6a
MD5 hash:
57f2d1fd9fd24867a79d5f917728f53a
SHA1 hash:
f8d08a4d182be9b101fea43bf43bfc26e4b858b5
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
SH256 hash:
2c86fbd27864054476a9dc8072027928382a76605b7ad6257f06edd3aa850c69
MD5 hash:
86500311a74f6d0b2b3facebd93f9c17
SHA1 hash:
d6fa9a86532e8f85b9eda7a644ef3053b593db70
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
SH256 hash:
81a71e9a6b6b06e97cf14de3fa759a4b515cb15697a1c50c8d02b280c01a2d34
MD5 hash:
4f4213ab91c2effd8867142612490cc3
SHA1 hash:
bbde2cf6e92cb3a3f75b3a6db9e45a54be6b808d
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
SH256 hash:
dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
MD5 hash:
8f375217380183e090681f1dc8eba0e8
SHA1 hash:
526c9a0add15b724cc5af4cade31b029c0c92e56
Link:
https://www.unpac.me/results/83ac5f67-43a4-4bda-95dc-ab1042ccb580/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc11d49091ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 63ae5c002960b573d101a2184e87a958a8937919f63293a38ec44fde0c5fb62a

Formbook

Executable exe dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 63ae5c002960b573d101a2184e87a958a8937919f63293a38ec44fde0c5fb62a
Cape
Cape
https://www.capesandbox.com/analysis/399040/
  
Dropped by
SHA256 f0841be7d1e75208b58b23bdf3532a41a65726743bc4c5ce1c77e0d76349fa3c
  
Dropped by
MD5 70d3d2b3a7edb743b6744c410dd8f0b2
  
Dropped by
MD5 c1ffaafad131850e0ab3500606e94293

Comments