MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f
SHA3-384 hash:	ec0b168d2ea1259e00b4f14e0a46bf105f02d65bb589693c0ebb39bbc7c0edab1275336349ef50121e5e5ff8c6730bdb
SHA1 hash:	8c6bf8c3800edb00c127a195fb416df968ac5eb4
MD5 hash:	29594a9cf01970b6d01f1887e4ad287b
humanhash:	coffee-south-paris-grey
File name:	Solicitud de una nueva cotización de FW.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	655'872 bytes
First seen:	2023-05-23 15:28:19 UTC
Last seen:	2023-06-15 01:08:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:E+nzsn296riLPyrwATwqqG5L0z/CWSJOtgTs:62UriLfATNqG5ALClJOg
Threatray	3'009 similar samples on MalwareBazaar
TLSH	T137D4F16B174B8836C8250AF85666E6B9A2317FE86537C327ADE37C33F5393439C05192
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	68ec9acaabd0dcf0 (12 x Loki, 8 x AgentTesla, 4 x Formbook)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Solicitud de una nueva cotización de FW.exe

Verdict:

Malicious activity

Analysis date:

2023-05-23 15:29:51 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/8bfb7edf-9fd9-4ad7-9b3f-d70606dd1ea0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2042.25081.25508.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process from a recently created file

Creating a window

Creating a file

Searching for synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo lokibot packed warzone

Link:

https://www.filescan.io/uploads/646cdbbf63d8dda9d0ac6d04/reports/e0c4fb3f-9c63-4ff5-805b-484dc6da2acc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b10f0e29-5fc7-426c-ab2c-7f1fdf5e908c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1240993

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-23 05:09:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4mgudxylgocowv5ga6mjxx7eagi3j2a57frspqmxj5wqli5d3a7q._file

Verdict:

malicious

Label(s):

formbook

Formbook

4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e

Formbook

4f97be86fd94c84a31cd8aa9bdb4310a6d251d0560e23eebb93d84596df72dfd

Formbook

9c0a4fbfc6a9ee19747c3bd56699ad195ef95f65752476a208f7ef7fc2dd27f8

Formbook

c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1

Formbook

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564

Formbook

c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0

Formbook

f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb

Formbook

f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3

Formbook

+ 2'999 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cx01 rat spyware stealer trojan

Link:

https://tria.ge/reports/230523-swwphsgg6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

65532eced8f8afb2148aae4fea0cf6764349256c0b5a3a89a6875b6bed2a6a09

MD5 hash:

e979886dd03a38f4ea730b97f421196f

SHA1 hash:

6a0f676c2735a5afaea258ee5ab12b9d5299aba4

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

Parent samples :

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564
f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3
3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face
c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1
07ad0c61940072d3f26c6706e550f970c2e3ee59d1b0a519515ebf16e013b11c
c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0
4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e
3b0069e420ccfba9dff2e274d714fe3f62a6b9f3b5630e0fd28a89f579ebadcd
9c0a4fbfc6a9ee19747c3bd56699ad195ef95f65752476a208f7ef7fc2dd27f8
e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f
880b7f96797851986e0dfb579afb707a7529f1adf9cce67efb7534d4003b8aa7

SH256 hash:

cb5ee4cfd7179a57298c02ce4ccc9c2ca6b0b310758a7320340cf0a40ab62f88

MD5 hash:

0dd66dbaf510e93ec00b9eadf5ec34b6

SHA1 hash:

b7e1b7bbf2d58cc03beeb7095ae98e03426f39a7

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

SH256 hash:

0e70ec4789d3682eedc0232f3a8b23862bede7b4a5b4f086d58fa6da1c954c5b

MD5 hash:

71e1dc79c29e4f5308a463769f655006

SHA1 hash:

9cb5033bd928b02f8201604b86977e35e32bfa54

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

38a2f6806f6418a771ef89f30feb00a7dd4edd3940ec94e126801bafb9c4a08f

MD5 hash:

c58bbc74553962eb6ac583c1ef9f182c

SHA1 hash:

68dbbb6340b6869bb5a11b5470dd53d4703fbe08

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

SH256 hash:

e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f

MD5 hash:

29594a9cf01970b6d01f1887e4ad287b

SHA1 hash:

8c6bf8c3800edb00c127a195fb416df968ac5eb4

Link:

https://www.unpac.me/results/0d5b548e-385b-4966-8215-350fbb411fbf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample