MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04
SHA3-384 hash: 83631280f024ee763885aeafc169fb17d279ea180163dde9b2bcb0f75fb682cdc45b4629736902d862a0962961881a6a
SHA1 hash: 39dd76e1b059e4b34cc3f6d0f41e7c75f32c6bc6
MD5 hash: 656b3a7898ab377ea449a63ee418eab6
humanhash: oscar-skylark-july-montana
File name:Revised PI.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:260'901 bytes
First seen:2023-07-18 07:22:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya66SI63Qrs6AdLru2Kd9Xl7sDszclojbmgGGn2Ru:/YUNUQuRYfrzcyjb3GGn2Ru
Threatray 3'309 similar samples on MalwareBazaar
TLSH T1A544121479A5C0E7EBA263710F724916AAF8FD211EB4674F5BE06A0C7E72090D41E3B7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Revised PI.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-18 07:23:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ba844f6-4900-4e32-998b-62e210809c94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423281/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.11379.13361.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b63dd9fd9e198dc1153790/reports/2a92ecb5-13dc-4576-858a-1998eb87481a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76592281-98db-4fbb-9061-aacdc361047c
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274924
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 04:14:29 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rnhsbfuuehxcmbtqbam5kc5gi5kvpvkklefwkh2dnbz6x73b4ca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
280c90337bb2021f4e634d522737bd4da3b0c1a623d760c7d209b507e3307ace
Formbook
3b2cdea86106106bf0ec55e86a4b2e4a6beaf5fda5597c774f4b6de99a0cb08f
Formbook
86d4e06d459d993e94c995dc65bf75afbc4f91386ad7b10a1446bbb994c81d64
Formbook
890f1ea5f0e86fd180f4767b52a72d81d5f6116b545838f10a3cafe93379c3fd
Formbook
89a7943f47dd4d160553813d7f4cea88a6b7e7134de0c6734c23942c7ece7764
Formbook
a164652a4336afd460b41b4b744547c5f7999e35ae5b8ccf1abbc6bb2d2c5a32
Formbook
b532a96b9e9f065c4c82099e4ee5f3714110cd15290874fe7d20e453b89f6a8d
Formbook
+ 3'299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-h7s3nahf5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
476d0465af12bb262b716784b706618d03ba3937a814b64b7f8d060fe6ff1ec9
MD5 hash:
4ef64a9af9efda6cac42134e14e174b4
SHA1 hash:
eea334e7c1be5458c4cece4a984a969c8add1bbe
Link:
https://www.unpac.me/results/3a77ff9a-5c87-40d4-9b95-9a96c09aa2b7/
SH256 hash:
8a219bc484549496821004daa2e88653bea7c53b922db244bf4116ce19ff0e07
MD5 hash:
5606680621c2701b5d9ecc3c6c7ab205
SHA1 hash:
cbc9a43573bb4238ded06073ed59ab183b6fcdd8
Link:
https://www.unpac.me/results/3a77ff9a-5c87-40d4-9b95-9a96c09aa2b7/
SH256 hash:
6bd0ed4c34c5a222cd819f9a2e270faeac902d45089fb5c2e2faf5c12caea6f5
MD5 hash:
54764586e4c75185697b6e0952e856b1
SHA1 hash:
3925f83d9f343d4b7a33c3beeaa0a4c7eaf0da33
Link:
https://www.unpac.me/results/3a77ff9a-5c87-40d4-9b95-9a96c09aa2b7/
SH256 hash:
e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04
MD5 hash:
656b3a7898ab377ea449a63ee418eab6
SHA1 hash:
39dd76e1b059e4b34cc3f6d0f41e7c75f32c6bc6
Link:
https://www.unpac.me/results/3a77ff9a-5c87-40d4-9b95-9a96c09aa2b7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e45a7904b4a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar fe706c527566e76231998c6a8fad91eea8a791cc713c685f0f8ea4ea55067d46

Formbook

Executable exe e45a7904b4a10f7130338040cea85d323aaabeaa52c85b28fa1b439f5ffb0f04

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fe706c527566e76231998c6a8fad91eea8a791cc713c685f0f8ea4ea55067d46
Cape
Cape
https://www.capesandbox.com/analysis/423281/
  
Dropped by
MD5 3d8abfc6f5a8edd812ceb1c60c6a9596

Comments