MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3
SHA3-384 hash:	fbe6c72e501039fbfbfc39da9032df683734655833ce2c4678ee832e042423ec7f600455ebada005a3aa2435d827a779
SHA1 hash:	d1561d0fe8f6ec741beb38753f5a6a9a0670a6eb
MD5 hash:	279968ab788fe37045d7d55d1c7594d9
humanhash:	steak-nevada-green-bakerloo
File name:	doc0294852331.pdf.z
Download:	download sample
Signature	Formbook Create hunting rule
File size:	295'281 bytes
First seen:	2023-05-30 12:40:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:JYa6pyfemzTStrLuxFl9QZjrYtyh7aYPGPqZWEzZcx6Zp:JYLyWMWtrLufHYjctaa7PqVZVD
Threatray	2'974 similar samples on MalwareBazaar
TLSH	T14654126C3070C05BD1C544759CB6A266EFEAAE1C9022470F67E07AEEB8707A1D50EB67
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

doc0294852331.pdf.z

Verdict:

Malicious activity

Analysis date:

2023-05-30 12:43:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/107c98c3-20f3-43d3-b453-fbbbb0085cb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/393583/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.22790.5920.10725.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88724/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6475eedee8d73a4b92837d80/reports/39055a9d-5184-4b8b-b634-b5e8d67531a9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1c5ca6b-4244-4042-9c1b-55cb14489952

Result

Threat name:

NSISDropper, FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1245254

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-29 22:49:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4vdczn56kescpdd27ljjqm2bvyo7mrwrib7farcwpsue3mbv7crq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4556daea929e88c1831b8a92814ae2f57b9b8a57be14487a03650ee81d36b67e

Formbook

45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57

Formbook

69b82b41a7cfa515bf64c0302089df4a7f0af0791ca5499b6c402c9638d68381

Formbook

7724828eb796d8c3310c8af73e9c19ecf37ad1af5ebc0cbd35efc5d4b36f36d2

Formbook

7e730ca7f92fd178c170d14422fbd34ea085e602dc22597d4aec331df1d55d0e

Formbook

86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54

Formbook

8d09e31a3dd39e1aefa76a78876ce7c3a2bbe90dc00cff250710531115b4b88e

Formbook

90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759

Formbook

c8a94c78a7376f91457a32319670c828f10d5616712154c969ef65bee7de122f

Formbook

+ 2'964 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230530-pwrh1she88/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

ce25649abbe9630dc2b2d01633b89e1688fd701ef301838a083460cb11703ebf

MD5 hash:

30378a18a14c234fc4b39656c48c953c

SHA1 hash:

2506b2673a07297c20a25e8836b92d94b758f970

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/b2f2ce6c-8b05-49f0-b19a-e29235b6535e/

Parent samples :

45c495f1765c2a86062980d2e2b196b0696247fa42199a6fd278cd739550db57
86c26b4efb879db206ff583c304e8ceb75470c970b53737fd6d1fa4f6c4d1e54
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3
57b9e598a2344a9f11ea57e9def885d0548034bbfd7020c697770bc68d12660d
bf6837cd64c8a37fc41b2d868fdd148e637f926e6665fe25f40f2b46327cdf31
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6

SH256 hash:

5de47656d70990ec230319bd2e35b9254a19583f005487551a0d9a951607feed

MD5 hash:

c9d1695f8f861de42ff96e5a03ae3e36

SHA1 hash:

a09c013a0c262d8c8f6dba5ffbb4c2c4760129b4

Link:

https://www.unpac.me/results/b2f2ce6c-8b05-49f0-b19a-e29235b6535e/

SH256 hash:

9c531865a1e20ca66cff12d92fc8adf483dc393f0e9571079e05959be022bd65

MD5 hash:

aa90808eac66c2c56d9874790cd555aa

SHA1 hash:

14588af05b3c45a70869397c22be94d777add9a8

Link:

https://www.unpac.me/results/b2f2ce6c-8b05-49f0-b19a-e29235b6535e/

SH256 hash:

e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3

MD5 hash:

279968ab788fe37045d7d55d1c7594d9

SHA1 hash:

d1561d0fe8f6ec741beb38753f5a6a9a0670a6eb

Link:

https://www.unpac.me/results/b2f2ce6c-8b05-49f0-b19a-e29235b6535e/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5462cb7be51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e5462cb7be5124278c7afad2983341ae1df646d1407e5044567ca84db035f8a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/393583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample