MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
SHA3-384 hash: e2f53cb1ff7b6c0d11f97485ac7e18a2f4b6cef609f9f7c99ed5f68b1cb5ee258a6dd8a0138ec1cddd14649dfd8060de
SHA1 hash: 5666e3cc8600a08efc12d04424fb314b01f85159
MD5 hash: bdbc557b88ce579036f7b349b5022eea
humanhash: mirror-oscar-michigan-paris
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2023-06-18 15:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:W1wtBYYgqfVbjgCtOQm2PEYweUW0uED8:WiPYYDdbjgUOQmXPRjF8
Threatray 1'450 similar samples on MalwareBazaar
TLSH T172152346790CA4F3CF614EFD901B48821BF61A192162CBD60DDE69EA46E8FD443C4BDB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
No threats detected
Analysis date:
2023-06-18 15:51:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eaed4241-604f-428a-a0bf-a49cccb1ef70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400187/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67530950.23609.10060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/648f27e6c544efdf77bf9491/reports/a4428286-9b02-4596-b46d-0b1eafc99782/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/097790d6-2261-4823-a7d1-3e5f91baca27
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1256889
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 06:09:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4v4zbkltcww6ectug7k4mzufce2bm7mvvjnxfqbm3muzu4qc7jra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13
Formbook
41ab6054625f7a03d1a0af44403ac248ca880ddc0141f61e41755b6f2263e42a
Formbook
88fadeb423bb62b7b435752119aac90877bb3486f3fa493e6b4cb1cb4c989bce
Formbook
973afd04fd466b41ebe1b7a3cbdc5a90217f754f2637cc25718cfe899e1c1365
Formbook
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
Formbook
c88bd050908fab9335adb9750835b3dd14ed46d185e69490182c5a8e327e41db
Formbook
ceda785eda517cb3617c767a40e724c114e61b24a571204277d5ee5c1bbfcab6
Formbook
dc11d49091ad7457e508528473875bf8f9d1df5cb6d34aa08615295a65c1b3d5
Formbook
+ 1'440 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230618-tagh5sgb79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
63bf875417a4d14485debe930a5948b79f02b45bd9669c530e717d929bb8da99
MD5 hash:
f927688f7160b7a62052b1d3ff01d77c
SHA1 hash:
bb0924d0778ae7ca1992c3fedbc4f3a6301584cf
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
Parent samples :
ad8413339b31fc3d1dced5bea0a98a95dcc5751108b4cf1553cf040c4a2159b9
46d5ad3a78bf9fe4f4799240caf67fae21f78c6d8a665e9a92719c0efec186c4
d53929503f5d9632f215cf24983b0b2700f10db634265bcefe2cd8fa4efaf2f7
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
ed570698ccddfc346f65b5b86045d8af239e0d2400acd5836818b95e7b658cff
412c6188c1ab56d9a41bc91aa4b39e664ec9346a718a7ae9bf495618230d7c2d
b45f9e29351506203a4101b1559e928ec3de39850008d82598b8ce1c3a7a13c3
117657ffb63ef0b6355173babb3e4fd141dc8be775e2ef30c23953b6396f4f45
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
SH256 hash:
f01a6fc735878ac63e8b5585179a21b4dea5d15b5c679ac90cbab1a9d36958cf
MD5 hash:
3532237c1316ef2cc8a39372a6b5f72c
SHA1 hash:
5cf317deeff0ce552c933c7d4e44ef3f5bd7746e
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
SH256 hash:
2c86fbd27864054476a9dc8072027928382a76605b7ad6257f06edd3aa850c69
MD5 hash:
86500311a74f6d0b2b3facebd93f9c17
SHA1 hash:
d6fa9a86532e8f85b9eda7a644ef3053b593db70
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
SH256 hash:
40681bf83ce0da1d2535722c8ca134bd6564a9eb7e3e1e2e1522c68b61815e55
MD5 hash:
8fe9b10711281bfeacca2471b2ae78f2
SHA1 hash:
ae020e0cca2c43257fe56a4fe442a349df8aad31
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
SH256 hash:
2f1d30e98df90c1b73ff1f45ed2b3b28738e4021cae23309be81b07ff5b7e3c2
MD5 hash:
2d541a8b7e099d404833867b19bd3594
SHA1 hash:
9ffc196f90acf488160fc4b44d8e87be312b797c
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
SH256 hash:
e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62
MD5 hash:
bdbc557b88ce579036f7b349b5022eea
SHA1 hash:
5666e3cc8600a08efc12d04424fb314b01f85159
Link:
https://www.unpac.me/results/73c14f95-80e6-48c6-abb6-50ae38efbd56/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e57990a97315/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e57990a97315ade20a7437d5c666851134167d95aa5b72c02cdb299a7202fa62

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400187/

Comments