MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
SHA3-384 hash: 40e46690a603a00319e4e004fe6c7c3ed82cd8b38035658d37cb4fc4e82b91a7b1684304e11b63c913de3a9e01aeef54
SHA1 hash: be1ae85680670d6f91c188bc55cc0ca3733d6d9e
MD5 hash: 3c42ddddcddab7b348e3c98b5cb4ebe6
humanhash: golf-nitrogen-freddie-twelve
File name:yeni sipariş pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:844'800 bytes
First seen:2023-02-24 13:36:53 UTC
Last seen:2023-02-24 15:29:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cUhRuQUaD+7jpFd5HVRTnsQSwIynAkaWGGbjZaoUQ3CpCGgZUvbIJrsRekKUH+WO:cUDOVrpVRjsQtAo9ao9SpDbUJAReZ4w
Threatray 1'874 similar samples on MalwareBazaar
TLSH T1F105AE48EA74536FDFDABD2A7204318F19E0B98137119BBDE3D929B0E604A75E1C44EC
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 3096d0f0f0d49630 (5 x AgentTesla, 5 x SnakeKeylogger, 1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
yeni sipariş pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-24 13:50:54 UTC
Tags:
formbook xloader trojan stealer
Link:
https://app.any.run/tasks/008d38b9-0eb8-4fe7-a519-a8c1433536d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369463/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f8bd86663463c1cb678658/reports/6b1e5990-201d-432a-a283-e37d583bc514/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a784f0e-8d46-4a0e-b801-733ba6fdc8dd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181932
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814767 Sample: yeni sipari#U015f pdf.exe Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 Sigma detected: Scheduled temp file as task from temp location 2->70 72 7 other signatures 2->72 10 yeni sipari#U015f pdf.exe 7 2->10         started        14 rHkbsrlhF.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\Roaming\rHkbsrlhF.exe, PE32 10->46 dropped 48 C:\Users\...\rHkbsrlhF.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmp17A3.tmp, XML 10->50 dropped 52 C:\Users\...\yeni sipari#U015f pdf.exe.log, ASCII 10->52 dropped 80 Adds a directory exclusion to Windows Defender 10->80 16 RegSvcs.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        82 Multi AV Scanner detection for dropped file 14->82 84 Machine Learning detection for dropped file 14->84 86 Writes to foreign memory regions 14->86 88 Injects a PE file into a foreign processes 14->88 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 2 other signatures 16->64 27 explorer.exe 2 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.keycanna.online 27->54 56 www.ch-ac.ru 27->56 90 System process connects to network (likely due to code injection or exploit) 27->90 37 cmmon32.exe 27->37         started        40 control.exe 27->40         started        signatures10 process11 signatures12 74 Modifies the context of a thread in another process (thread injection) 37->74 76 Maps a DLL or memory area into another process 37->76 78 Tries to detect virtualization through RDTSC time measurements 37->78 42 cmd.exe 1 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 08:57:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5x456gtgd7atyr3tvqlw57qdqgtaubhifhrtr7n4vm33lncrodra._file
Verdict:
malicious
Similar samples:
10f07d893ce971191295d3c52b3a5c761b62edde3a50981cafb2ffc5fab72dab
Formbook
200100b843cccd6b1fc8f2455de2d6069aa6272b3b2d94e805ee72d08bbfd665
Formbook
6b5b7952bdd33c6b92105d81a2211e7a2f907b89fd0a76c344db8ded9dc36802
Formbook
90f8a6e23c16788ef3a7adee0b9b9a03cede0905367d71a8be46d3dc24b7b759
Formbook
9cb575e04d0358d14c8799cd77beaabfc776fcc0362cfe74ec3eea240ec1bdb5
Formbook
d5b73f94baae872466c1f7435d9c3ee66c5bdd606b1bfbae775c9acb19f5c42b
Formbook
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
Formbook
+ 1'864 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md25 rat spyware stealer trojan
Link:
https://tria.ge/reports/230224-qwtttadd6y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
7af3ca997814ed2b4a01702dfe56276094f9a2f654c665efcc159d18960dac18
MD5 hash:
c0ba5883a7a40e79a899bc57e349d36a
SHA1 hash:
e8c0c7117f60e08cb4b643b60aa5cc3cd16a9283
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
Parent samples :
10f07d893ce971191295d3c52b3a5c761b62edde3a50981cafb2ffc5fab72dab
edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
8e4936a8044f833fa8b5e67067208e8b81c0ca55844122013afe82a0af3b6eb6
ced21302bfa069209473ff66c3511ee8530a11a5323db0b485acb12d6a88a188
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
dea2369b7d4c0bbad43ececcf9ba24cc7dc8e46c3de236b154cb9d5af0cbf5be
MD5 hash:
6336ffa05034538ea24a4bbd92249135
SHA1 hash:
7641540073babd9c68fd35144475bbeaaf637904
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
SH256 hash:
e23b3837408f1be9d7c11a6de5b4f1493e71a7d895880b1d0031adca7c570c61
MD5 hash:
7b7243b917ccbfe4f5eac7603a1fadb2
SHA1 hash:
65dddec936c6ffe52e4302d8a54795c43c5b918e
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
SH256 hash:
53a1ffb70e1317598820f839be291ffcf07e4d15bb7a83f257e31ed00c796f5c
MD5 hash:
113748e20fe8a70c825cf463522ea7c2
SHA1 hash:
16a9c578129ba79860781cf3ad3e39fde78117d4
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
SH256 hash:
edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2
MD5 hash:
3c42ddddcddab7b348e3c98b5cb4ebe6
SHA1 hash:
be1ae85680670d6f91c188bc55cc0ca3733d6d9e
Link:
https://www.unpac.me/results/b62bfeb8-68fa-4890-80b4-de4eafb589b4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/edf9df1a661f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edf9df1a661fc13c4773ac176efe0381a60a04e829e338fdbcab37b5b45170e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369463/

Comments