MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
SHA3-384 hash: 20e825e34c86ff1c8bd528a0f09d327c1754329ee145877cd3fbd2751fdaa55e1117c782cec97fd46ac5bd97e5811ad1
SHA1 hash: 5327e4ca332aa28267444a12cd692375291a4ce2
MD5 hash: 77783c6f99127280ab5c677c1c96bf7c
humanhash: chicken-pasta-georgia-butter
File name:SHIPPINGDOCUMENTS.25.23.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:686'080 bytes
First seen:2023-05-18 14:19:20 UTC
Last seen:2023-05-20 15:29:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:S8RXgHLZIcZI13TZFseMdvkp/TpVMYEVxhe+XbeG7aEGONgLQ:SsAtDmJZTu8ptipSupf
Threatray 2'951 similar samples on MalwareBazaar
TLSH T148E4F06027D5C70FC02A837885E5D2F06376DC81B9B6C7974FE9BC8FF28A2A11752256
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8eae6e6e6e6e46a (13 x AgentTesla, 10 x Loki, 7 x Formbook)
Reporter JaffaCakes118
Tags:FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
92
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SHIPPINGDOCUMENTS.25.23.exe
Verdict:
Malicious activity
Analysis date:
2023-05-18 15:06:36 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/a67bf96a-4c42-484e-92a7-3d64dbbb15b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67101391.9048.7555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/646634184cca7adb7c9338cc/reports/20ce42ff-4cb5-4197-af69-89bab7d84141/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04748bca-fb6b-498f-8f94-8819ca4a6a43
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236026
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869026 Sample: SHIPPINGDOCUMENTS.25.23.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 10 SHIPPINGDOCUMENTS.25.23.exe 3 2->10         started        process3 file4 30 C:\Users\...\SHIPPINGDOCUMENTS.25.23.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 SHIPPINGDOCUMENTS.25.23.exe 10->14         started        17 SHIPPINGDOCUMENTS.25.23.exe 10->17         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 19 explorer.exe 1 1 14->19 injected process8 dnsIp9 32 www.udda.app 194.9.94.86, 49697, 80 LOOPIASE Sweden 19->32 34 www.aseguvenlik.com 172.67.178.154, 49698, 80 CLOUDFLARENETUS United States 19->34 36 www.d7c8-iuxt.com 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 raserver.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 03:31:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dzhdywabrzrbotw6w7cj5bf355uyp65qsqlofmqniinut36q6nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40f5c4cf3de1461b42dc81ddaf6bf3c1956d27e85773d8828e798b79402e6e13
Formbook
4baf37305afca03942dfd3f13c173cd45d587cd358adde2b6f1596fc761eaae2
Formbook
59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
Formbook
5a2e7eb559e1d587d537ff0033d00fb27f7e17bf0c2a5db6bb3842b9e2fa9972
Formbook
7364133b920b40a6d5583a6ae12d8f510df7f2f65da5c026bd7c9ffbe3e54e57
Formbook
7d0802716538acdbba606f1691225b66910af4603aaa096f3a84776c1e5b40d7
Formbook
85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
Formbook
c104d364eec79cad7a9c9040ff30d46e6b2bf694b3c8f80130bb599345fc3d76
Formbook
ca92353954eb428f99d73b11f26650f1ed59df39a99a04d45552c8b9ba4e1459
Formbook
dd7311a0428c78cec1db4fbca409094ab6694db68c03aa878f9f1872ecc6e1db
Formbook
+ 2'941 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ga36 rat spyware stealer trojan
Link:
https://tria.ge/reports/230518-rnfsnacd84/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
99ff6a37c82585c6d2e90f20e415fbb8764e9df8bca8652a7d9a737deca7377f
MD5 hash:
ebc66d0c2c7e09625cdd91510a42e3fa
SHA1 hash:
79a9b8db3e511aad276601fa7f90d34b7decfb91
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
Parent samples :
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
12827a41d1bccb41a635ea9837a5eade7efadf556069b2bd734dbbfe7fa408bd
aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda
841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410
9f7df9aa07cfd95be6465d8234bae2a1332e7627932b0b345962a766a696212d
0e724a5112ed91fceef060ac76d69321020734afb2902e512b2c5698123faf94
SH256 hash:
86ba70fd9e57118441913987908bcce203cfce4442b75b103cc2e6dc4b347916
MD5 hash:
50c7ee1b563b28736ccf42920085681f
SHA1 hash:
e5a638a8457690c0b4a83f5a247b4e52ca9258f9
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
b3e8ab309f9bfda6671e283f8ef2f0de5b583639b13e4c49004cf1b8cea3a941
MD5 hash:
e493a849138e5ed99d322890d25b6078
SHA1 hash:
113598e33e5589dbc4065fc179b9948a4c4126a3
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
SH256 hash:
e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b
MD5 hash:
77783c6f99127280ab5c677c1c96bf7c
SHA1 hash:
5327e4ca332aa28267444a12cd692375291a4ce2
Link:
https://www.unpac.me/results/ca177df0-9f04-44a3-9967-3d7f2e8bf7c7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8f271e2c00c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8f271e2c00c7310ba76f5be24f425df7b4c3fdd84a0b715906a10da4f7e879b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments