MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14
SHA3-384 hash:	4dbfb5b49a621d344eec453772cdfd2407455232f165f644170bfc24b15e588069c960b9c163790412568af39335159a
SHA1 hash:	0c4548489461a76bae0161ed4612b5546b4141fa
MD5 hash:	6a9aea17605d53206fe8582c19fb0333
humanhash:	eleven-gee-kansas-salami
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141
Download:	download sample
Signature	Formbook Create hunting rule
File size:	260'087 bytes
First seen:	2023-07-03 02:27:56 UTC
Last seen:	2023-07-03 02:27:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	6144:/Ya6pFEAozjQi8b9oYrAymV/TN5gObUx9OCvPq:/YrFEXfOj0d/B5g5lvPq
Threatray	3'174 similar samples on MalwareBazaar
TLSH	T1584412349E74D0BBF8E709F1493E0F1B2EF0DA1608B15A4B63405DBE76BA6915B0CB21
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Gen.Variant.Nemesis.22780.7904.14141

Verdict:

Suspicious activity

Analysis date:

2023-07-03 03:52:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/399a5d9d-7250-43a0-92a3-978f07ca627b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/405603/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95080/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64a2323351710bcd8d43e2f7/reports/9840663e-4508-4951-b3f4-b78d302fecb8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8421ea63-62da-4c2d-ad9f-3129de52a390

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1265412

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-07-03 01:33:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4is4vyncce6f4aj6jzjbpqs3746btagqx6eg2qcd2hismfpeh4ka._file

Verdict:

malicious

Label(s):

formbook

Formbook

5adbcb5406936cc182300072b9306adda1eb3cf1aac9e87ad211515d19450bd9

Formbook

6993166411c91917f43e2a6fc68fdbcf52d10e62efe1e98ee63c2af87ace1fd8

Formbook

8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a

Formbook

929bb5ebaacd2750b9f7cbabb07e7fdf678d2958b8552af4e7fb705bbb92c21e

Formbook

9409e367a0c9bdead66274f114e20c752c57723ce730c715b5f126f37ec1964e

Formbook

bd27f580c5a07f8ead5a2ead3ffa65e35e570e0d5e4e9acdc2292fdee9311cd1

Formbook

bfc9cf8ef1369ba05191e708fea5b6c71d653dee922f15a53a7aed0642e1b756

Formbook

c5822a27ce347fa89e7a732a9d0aef9eae76e096cdb60706b7c5bf859b780f8e

Formbook

+ 3'164 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230703-cxz6bsed59/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14

MD5 hash:

6a9aea17605d53206fe8582c19fb0333

SHA1 hash:

0c4548489461a76bae0161ed4612b5546b4141fa

Link:

https://www.unpac.me/results/8952ef30-49c4-4b45-94bc-77247ab84765/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e225cae1a2113c5e013e4e5217c25bff3c1980d0bf886d4043d1d12615e43f14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/405603/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample