MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
SHA3-384 hash: bae78ef7d7fc636c6d4acd69e1aec1ae1ce855bb96a937a2b29f65f8b9637a29483dc7141ec1eba619184e03eb1f54af
SHA1 hash: 8afcbdb1c4e1eb198654d645a6dedde116d919b5
MD5 hash: 384db0b53fbe573a18d40e162ca2f5f2
humanhash: ten-carpet-oklahoma-three
File name:NPW36-12 - SO-3995 (SO+INV+PKW) TW103045287------此筆核單尚未收到再麻煩您.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:681'472 bytes
First seen:2024-06-17 05:12:13 UTC
Last seen:2024-06-17 06:28:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:s3/iFIsPAb/z/ZfQ0TYcAXNOVikqMI+oTIhHs04OtKHEGqAzPPktBjeDS4L3QcBr:ukIKybscAQm+OeHB4tLqA7oBCbGAuePj
Threatray 42 similar samples on MalwareBazaar
TLSH T12BE423097FE94BB7D1F446BA093A4110A13B674A8421DECC9DE732CD46EAF24B611BC7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-17 05:13:23 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/0a32803c-1384-4ce0-9330-51ec0ed1eda3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.27449.10973.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666fdf1d0f8138dd4eaad71fwin7simulatehigh_evasion
Tags:
Formbook
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50b74902-3f52-4f48-b12c-dd537474f54a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1458165
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458165 Sample: 60a8.scr.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 31 www.cen32bro11.xyz 2->31 33 www.xbavju.top 2->33 35 17 other IPs or domains 2->35 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 53 9 other signatures 2->53 10 60a8.scr.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 C:\Users\user\AppData\...\60a8.scr.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 60a8.scr.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 sTJDyvtsvLqaxtfl.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 certutil.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Deletes itself after installation 20->59 61 4 other signatures 20->61 23 sTJDyvtsvLqaxtfl.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.19726.cloud 156.236.68.134, 49742, 49743, 49744 YISUCLOUDLTD-AS-APYISUCLOUDLTDHK Seychelles 23->37 39 www.ladyboyfaceswap.com 91.195.240.123, 49746, 49747, 49748 SEDO-ASDE Germany 23->39 41 8 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-17 04:09:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dvmif6wwnsqwojc4yq4x73ev3faqscyhuh7xog44zhwxuzrlb5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
34920a90105dca3971cbd0871a0f34203c6b398197b8239eba454d502100f9ee
Formbook
5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
Formbook
58fb2eef2cb867a0316df7cd3d833333dc48653eb2c9e1f639c9f749ec39f265
Formbook
9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
e0c7a974ee35a0e9410cee3e9bf9e0f6d265e14064449db9e288da4d92e7b447
Formbook
e154f78539b295e3755ce2a8aaeb11018e35c6471c4584da66260f0365afcd9e
Formbook
e2a1386069229c6a4f15d8cea2ceaafe0ba1a7b4503aad69fd6e45d9a0279823
Formbook
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240617-fwed1szenl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
fcca5cca37a1e3be069990cf17a2040203bb9c8a9849249aba4b55efb0e88d72
MD5 hash:
354d466cfe1a9619e0b37191fb3b665d
SHA1 hash:
99f7cb3ce436dc12825e8c9025ebcdab47009d08
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
Parent samples :
e0c7a974ee35a0e9410cee3e9bf9e0f6d265e14064449db9e288da4d92e7b447
e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
SH256 hash:
4179f6faef68a82ff9d04ce9c1adda3969b95308c32f81df22e435a3f2d4b426
MD5 hash:
bd91bffc41db8a67e3a782c0021c0eee
SHA1 hash:
456c770830883a4382b40481964520acdcb7df4e
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
c4b12039bfed4c8bbb9d1376004da60480e49a379a84c9e60565bbd5caef07b2
MD5 hash:
144f7fcaaa3b81b0a3706203a7f1add8
SHA1 hash:
4bc14913fd448b4a2664e1e9ba664a1c6e9a9194
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
ecf1257cb2839319c722daf5323ba2ed7060368b46f84610b6b6823323297826
MD5 hash:
cba51dcdec84ac14ce1eaf2ede86f28b
SHA1 hash:
2e77e64525600817d96b4d9c497135c989e608ee
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
1c2f92eb1ee3a9727c83510f1a5ed0cc473eba5c481138ca78658332a9e62583
MD5 hash:
5956f59caab358b6bec1d10904767fb9
SHA1 hash:
2c47e9f5740293e88555340773ae4a3c7ed4dda3
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
56f3659c963caaa9b0c61d2798e432224a670d31771490c1eff71f9718dc69e2
MD5 hash:
d74c58ec3467a9330f58c5f90b1a9354
SHA1 hash:
efbfe5051e50d81bb7fa4dbb0e72933af4790669
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
f24595dfde6334ef151799f1d1de36415de967093ca86bc8252b60ca9816ea79
MD5 hash:
77f89846ee2e27cea641438e38d5695c
SHA1 hash:
8499ad91ca38d5e79d472d25b2d0a3e852ce988e
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
411a5897169d34fb92f5cbfc8b04bd85c884aa21fd2e2abb15bdcdd9aea2e6a7
MD5 hash:
9763f4ae87eb5928ac6adba8703b67c8
SHA1 hash:
739059ddc552293689f83f39b9f4bdef455cbd68
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
30abf117e5fba1a5ec11abe3914d3745891ec8040a2b669ac8602c5ce683f0ac
MD5 hash:
ea98ae4cb537ee73d9ebe1dcc3a25f83
SHA1 hash:
56f54d600d72b3c049a531212371219a6f3e2577
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
96e663e27023a63e047adffd9941adefe6db6973ecf8f409fe34197f05418533
MD5 hash:
36c06449dcec571993eb2dcaa0c06e5e
SHA1 hash:
2ee36382a6781b8dcb966c84daea9fe7a8761aeb
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
199c0aa16706e65e1d7f495d3bc5a881e135071893e602be06c645b0b1dc5e00
MD5 hash:
e74d5421d922a0f6983567bdef7f1a9f
SHA1 hash:
0ab4db26f1d04506a22f28f7c0537bdf84e11487
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
SH256 hash:
e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b
MD5 hash:
384db0b53fbe573a18d40e162ca2f5f2
SHA1 hash:
8afcbdb1c4e1eb198654d645a6dedde116d919b5
Link:
https://www.unpac.me/results/87faa921-2217-464f-b0c0-ea96635efeca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e8eac417d6b3650b3922e621cbff64aeca0848583d0ffbb8dce64f6bd331587b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments