MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522
SHA3-384 hash: d4f727c4254f4b551ffef35c50110ec49a45c6a181fdf6d8cb0871b9274f84041df31c54dcc5655fdaf93aca725dfd64
SHA1 hash: ca7e0f86207d13e5340a673fcc2d9bcd1768a1c9
MD5 hash: 13e15b043c3876f3c483f68b1e288524
humanhash: east-georgia-twenty-rugby
File name:Nueva Orden (URGENTE).pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:706'048 bytes
First seen:2023-04-04 08:33:47 UTC
Last seen:2023-04-06 05:53:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:iGbpg/mjr/QFnG7FmVW7obAJPj0zj+JIuZoH2DxxS54wi5feBSc3GLwrEIny9Ms:iGbpg/WYFnGCAJ7S4TQev5a
Threatray 570 similar samples on MalwareBazaar
TLSH T1E3E4D09D7600B5EFC91BCE37C9A01C24E6616577670BD317A09319ADAA0EADBCF110F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
256
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nueva Orden (URGENTE).pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 08:34:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d62707d-f815-497b-bb5a-35859b74753a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379912/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66230394.481.11521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642be0fc35c10d8aaf2895cf/reports/afe7dd47-7fe6-4a5e-be3e-9df86940a715/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6061adf3-36aa-426f-b16e-4a9c064f7b72
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207860
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 17:53:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jbcpgowr5sbg733ozfkct6ukhb6y6y7tohh7qw6znbn7t4nkura._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
180284f76be1f524875609de4bb4e02cb30a969a438bd871198830ec393afe0f
Formbook
35dc865c22873093d1417a28a5782b40e96ac3a890b51cb57dd89bedb23f1bfb
Formbook
363bf36180115b78abbb81e53def8018de22600b153958406302b6d71414f6c7
Formbook
49fe1618c14d32183b774338d27a474d16e05519bb3967940fb33e6af06170f0
Formbook
5ad5b73c0bc7325d96a68f35c1a84b692073395b00738c1f31ab5a4f26b131f6
Formbook
c883e6286eeb6bf200ac5bf790b70ba5547f49d0fdc2b2626dccec7727fa7b70
Formbook
ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Formbook
ee818f26515fa5b367639b6b76c96c3dd04cb96a46cdf7037e19b97f6a630d07
Formbook
f22e2d1a6903ccecd271a8b287c427f4127f5966bf1761cf0a0e5071bfe93c37
Formbook
+ 560 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230404-kgfezsff6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340
MD5 hash:
a8371cb187d99711691ccbecf8f35657
SHA1 hash:
8dec32121d2f9f876c2b157451968796608d3dd5
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
Parent samples :
5ad5b73c0bc7325d96a68f35c1a84b692073395b00738c1f31ab5a4f26b131f6
784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340
ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522
SH256 hash:
ddff35e8a5a0ef49d75627bc8bbd42c42cc1c41e468cc0f5599fefe5ae7ee384
MD5 hash:
2b8df85ed59a8f95922e966152ce7753
SHA1 hash:
446e166266d4cb9c46f6d900fa91f4224883a931
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
SH256 hash:
791557bc8f7b484020cf2802fe2753a2c0303210af1500f98713900f865a88c2
MD5 hash:
e226a7e74de5842d49a587610ea8eae8
SHA1 hash:
cc205e006d01ab7b7baeca6553c663479d1654c2
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
SH256 hash:
38548b0f5b0c0f5353d7fcfb421be5744a0c364b69797c11f84affe67ed80adf
MD5 hash:
df99dec103c8282cfcf82be76a1943c8
SHA1 hash:
bbeaba8758ddcc93a7a339ddbfc512fb533807ba
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
SH256 hash:
58ea653ce0d5b82090c88eaf9957ae8bbb01e693092485ef67f2f5bfba0828fc
MD5 hash:
98ab3710c72b377a9aa7f5ca5fd4a4c9
SHA1 hash:
4bcd00d1f4017ad0661a135ca7b599276c69ee62
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
SH256 hash:
a814e62b5c81b9f77f008fa7763e0d7d72ff34b3c6997c620a112e707af4bf61
MD5 hash:
66ae4ff3e93c91ed0455232a9a096a10
SHA1 hash:
4b825a7160fa77ec3caa7c3dd60aeab650b6683e
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
SH256 hash:
ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522
MD5 hash:
13e15b043c3876f3c483f68b1e288524
SHA1 hash:
ca7e0f86207d13e5340a673fcc2d9bcd1768a1c9
Link:
https://www.unpac.me/results/60fda164-5ecd-461d-a488-8ba021d034c7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea422799d68f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379912/

Comments