MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f
SHA3-384 hash: 370ecbac9ff5a8041c950b0a6ea1cc2ddc04573750ad43b7e2e953627c36a6dfc8e28da17a2e36bcb4fefede1eb7e324
SHA1 hash: 618de1830863b48e3b7623d9e856635a3660ef24
MD5 hash: 3d0b3162ae0d69259f3d3c9770bc6165
humanhash: island-yankee-green-emma
File name:PO -93271.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'118'720 bytes
First seen:2023-06-19 14:08:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QqrAyZ2guJ7A8z+RJejenfsEvJbi80ccNobK8/Lf/x7GefOVc1TYKe:Qqcl/zWflMccNobKmf/46uK
Threatray 2'169 similar samples on MalwareBazaar
TLSH T1FF35A23E1CBE523795B4D6AACFD5882BF440E1B731226D39A4D353968316D8239C723E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO -93271.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 14:11:12 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/f7db1ac2-3e68-4e6b-bdde-0fc88c5c827c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400575/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67507207.9869.21838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
quasar
Link:
https://www.filescan.io/uploads/6490617eecdbbf1fa09565e8/reports/ae62eca6-eb0c-4fdc-aa9b-e22bcba0fc3c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa20dfed-d732-4369-baab-3537f561fbe6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257562
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890583 Sample: PO_-93271.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 8 other signatures 2->74 10 PO_-93271.exe 7 2->10         started        14 uUkLEmIUGXO.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\uUkLEmIUGXO.exe, PE32 10->46 dropped 48 C:\Users\...\uUkLEmIUGXO.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmpD2C4.tmp, XML 10->50 dropped 52 C:\Users\user\AppData\...\PO_-93271.exe.log, ASCII 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 16 PO_-93271.exe 10->16         started        19 powershell.exe 17 10->19         started        21 schtasks.exe 1 10->21         started        88 Multi AV Scanner detection for dropped file 14->88 90 Injects a PE file into a foreign processes 14->90 23 uUkLEmIUGXO.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 27 explorer.exe 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.bastetribal.com 134.73.96.60, 49699, 80 LAYER-HOSTUS United States 27->54 56 www.wilkesalms.org.uk 104.21.25.174, 49700, 80 CLOUDFLARENETUS United States 27->56 58 www.bigcommerce.rsvp 52.60.87.163, 49701, 80 AMAZON-02US United States 27->58 92 System process connects to network (likely due to code injection or exploit) 27->92 37 explorer.exe 27->37         started        40 control.exe 27->40         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 42 cmd.exe 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 16:50:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dfvsjkhrtnsro5d47cvh26dxund4kjnqoxuyfvix7iuu7jawbpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
Formbook
57191284c75940f3a637266acc38d3a503ab97a52c9d99a0a85ff61d27420b6f
Formbook
58036d338d5e813b0143524d21a140f38d8b58f1a531b72f7ce4a82091380185
Formbook
5d9023550ab2c666d9361bb72940be22b4304febbb93f21e4a93ea93748f33c8
Formbook
60e1ed8c3c6bc9d9ef48d6e2129a75c8d39deb97844ab5b17944539e4400f24a
Formbook
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
Formbook
8617b9831e3ac243a932ac26cb32dcf1b3554300389c2d6d88b920b5d97be0dd
Formbook
d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065
Formbook
eeb2bc1861ce16da1ce6bf7a28f19b6096454dd3f1133d3cc4f89e6eadf67dfa
Formbook
+ 2'159 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ce18 rat spyware stealer trojan
Link:
https://tria.ge/reports/230619-rf4vhsfe5x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
1bdaffb11c20e77e5368237e17be8805b7c0a705f69b35dd054efc53a19a6e8c
MD5 hash:
285d2a6f998ad7caf3f4718f1281dd64
SHA1 hash:
cc6ff884f4fa53dd41ff484f86f4bab0ab7f88e2
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
Parent samples :
2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
d40024a841668b3cb64cb894613ee64fb37288125d32ca3068007f70db30f1ed
17ffde8137ccb72df1cf904e6e550a14e03c6e7029a507731a0a721697249851
b08291dfdb766139150a65ebf9e895dea34436f76123a52116e0d03944e1a4e9
b81deeedf20176eab269dc52fb165d8d8c7f74fe3bddf09089702b37dd012ce6
5a5c76f1d8102545a33474c1a81b7742425cea8bfc4dc81d112fc03af2d3682b
dae4a7ae7b88e0e864d2dac3ebabee86916b29c609623b754fbd253d2812a491
8b9641ea4b07a7e2e48a7be9f45a20b7c0663838d5430c90b452729843f4ea21
059d5f6ce17550f0aad80205593ff14cd81bcacf6e2b3bbc1cee716f9669aa64
e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f
SH256 hash:
13fba3a464731de0d61f52d1324239221b6b5915255fa072e10ba864af6450a3
MD5 hash:
b73bd6dcf387e47a0495761011131bb7
SHA1 hash:
fb31523bbc3e3bcda18bc3ffefbf4075214164ef
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
SH256 hash:
d43d9b114b040c9bbe50c459d6dde477087f43192330941198c46beb9027bb53
MD5 hash:
da93194bcc18e18a46cd03530878347c
SHA1 hash:
732039dd923dc3fce839f5fb2557f6d9bc3ec7af
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
SH256 hash:
74dd67f9d81540b8d7f18a59644a720c72f964167993621672bd3df6693a6fc6
MD5 hash:
3df4da68cabc4294eb349199d65ada11
SHA1 hash:
476715700046902e4f6d850484d978d6ee7d55f8
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
SH256 hash:
e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f
MD5 hash:
3d0b3162ae0d69259f3d3c9770bc6165
SHA1 hash:
618de1830863b48e3b7623d9e856635a3660ef24
Link:
https://www.unpac.me/results/5d3b2a59-7be4-4919-b25b-48923e3e4786/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8cb5925478cdb28bba3e7c553ebc3bd1a3e292d83af4c16a8bfd14a7d20b05f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/400575/

Comments