MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246
SHA3-384 hash: b8cdd0fda88a6be7ccc8751a51261db80ca2a5a71e35b6754b14cec93a564ee60c9510b152e99adab729d6b0147a652c
SHA1 hash: 7e26a7f0c789f8620ed11ebff3c1712457983407
MD5 hash: 547cafc1a997fdf4bd5beb45e96f7ce8
humanhash: pennsylvania-nineteen-paris-foxtrot
File name:202338744733383.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'239'040 bytes
First seen:2023-02-11 07:53:23 UTC
Last seen:2023-02-11 09:59:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:kKcmZzJzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz4:rPkQ/E
Threatray 5'260 similar samples on MalwareBazaar
TLSH T1EC45383439FA501AB173EFAA8FE4B5D6DA6FB7733B07641A109103864623981EDC153E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
202338744733383.exe
Verdict:
Malicious activity
Analysis date:
2023-02-11 07:55:09 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6e047e3b-3867-4b3f-90fa-bc1965257eca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/363794/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65446041.26866.3331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Forced shutdown of a system process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63e7499de40327f8799ad753/reports/89ab3d03-c47d-4d7d-82c4-29c4e265fa35/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b90fe6e0-ec22-4f6b-8a42-b9d4b3659dca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1171833
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 804623 Sample: 202338744733383.exe Startdate: 11/02/2023 Architecture: WINDOWS Score: 100 63 www.imaliaskari.com 2->63 65 www.iclimate.guide 2->65 67 11 other IPs or domains 2->67 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 10 other signatures 2->83 9 202338744733383.exe 1 7 2->9         started        13 svchost.exe 2 2->13         started        15 svchost.exe 2 2->15         started        18 svchost.exe 2 2->18         started        signatures3 process4 dnsIp5 59 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 9->59 dropped 61 C:\Users\user\...\202338744733383.exe.log, CSV 9->61 dropped 99 Drops PE files with benign system names 9->99 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        101 Writes to foreign memory regions 13->101 103 Injects a PE file into a foreign processes 13->103 25 systray.exe 13->25         started        27 AppLaunch.exe 13->27         started        29 aspnet_compiler.exe 13->29         started        37 4 other processes 13->37 69 192.168.2.1 unknown unknown 15->69 105 Antivirus detection for dropped file 15->105 107 Multi AV Scanner detection for dropped file 15->107 109 Machine Learning detection for dropped file 15->109 31 cvtres.exe 15->31         started        33 aspnet_state.exe 15->33         started        35 InstallUtil.exe 15->35         started        file6 signatures7 process8 signatures9 39 svchost.exe 3 20->39         started        42 conhost.exe 20->42         started        44 timeout.exe 1 20->44         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 22->85 46 conhost.exe 22->46         started        48 schtasks.exe 1 22->48         started        87 Tries to steal Mail credentials (via file / registry access) 25->87 89 Tries to harvest and steal browser information (history, passwords, etc) 25->89 91 Modifies the context of a thread in another process (thread injection) 25->91 93 Maps a DLL or memory area into another process 25->93 process10 signatures11 95 Writes to foreign memory regions 39->95 97 Injects a PE file into a foreign processes 39->97 50 AddInProcess32.exe 39->50         started        53 Microsoft.Workflow.Compiler.exe 39->53         started        55 csc.exe 39->55         started        57 21 other processes 39->57 process12 signatures13 71 Modifies the context of a thread in another process (thread injection) 50->71 73 Maps a DLL or memory area into another process 50->73 75 Sample uses process hollowing technique 50->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-11 03:29:46 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ykk45nyolq3iqm54svmo2ohm6s5endz2k6wzfl34vsivwacujda._file
Verdict:
malicious
Similar samples:
313d7ab3ab9ce9c507806980d866aa7f47cad13f943f3fcf24cc0a6050be6716
Formbook
658e0f3e03622f2ef3a44be0e3c19d116f9e7445dacc1b6264ea75ed2af25294
Formbook
8d7c1cb321e7b41dc11548e8a3e02c0394e50494b06d499e0465eb3919372d04
Formbook
9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae
Formbook
a39bbe78bdd2ac28efecb3cc910ee11cb33fbb2c9c08859820b1ff6d998db54c
Formbook
a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50
Formbook
c6135818ddc5d31afa68f42f21e1da3e19f879096298ccb84f68803847235004
Formbook
ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6
Formbook
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
Formbook
+ 5'250 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230211-jrj1gshf78/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246
MD5 hash:
547cafc1a997fdf4bd5beb45e96f7ce8
SHA1 hash:
7e26a7f0c789f8620ed11ebff3c1712457983407
Link:
https://www.unpac.me/results/110feb95-0474-455a-8bf9-7c6b51ba5e33/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe14ae75b872/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/363794/

Comments