MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
SHA3-384 hash: 71a3dceb86dbf2e5371a4a429c6304d42ddf4f21577ac87016d1d915f0d6a0c1b2f9c75d402eef33211e3923d9388a3a
SHA1 hash: 6d8ea236ffdc9054f7b52a189d19d829af0eebd2
MD5 hash: 496eab3a82d2d61b6e37d01fa0de0277
humanhash: three-juliet-nebraska-aspen
File name:satın alma emri pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:653'312 bytes
First seen:2023-05-17 11:55:36 UTC
Last seen:2023-05-17 19:37:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:J2bv/iJ2/kch30AkQ62GaxnZzYAt1SRn1UA93oumoSW:0HiGkAZJ1vbSRn1TTx
Threatray 2'934 similar samples on MalwareBazaar
TLSH T14ED4F12427E6D72AC52B937490E1C3F0677A8C85F422C7571FDDBD4BB14E2B62722292
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
263
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
satın alma emri pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-17 11:55:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94277f95-2776-4ce9-a27c-ed6f9c799f06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390696/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.53398.21200.29141.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6464c0d2ca9bd33579002336/reports/b18c005b-3c2b-419a-a143-ea62f25d9bd2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/881d6c84-b088-4e59-b531-987472b42976
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235203
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 868194 Sample: sat#U0131n_alma_emri_pdf.exe Startdate: 17/05/2023 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 7 other signatures 2->74 10 sat#U0131n_alma_emri_pdf.exe 7 2->10         started        14 wHtjXbJsIui.exe 5 2->14         started        process3 file4 46 C:\Users\user\AppData\...\wHtjXbJsIui.exe, PE32 10->46 dropped 48 C:\Users\...\wHtjXbJsIui.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmpFA91.tmp, XML 10->50 dropped 52 C:\Users\...\sat#U0131n_alma_emri_pdf.exe.log, ASCII 10->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 16 RegSvcs.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        86 Multi AV Scanner detection for dropped file 14->86 88 Machine Learning detection for dropped file 14->88 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 2 other signatures 16->66 27 explorer.exe 4 1 16->27 injected 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        process8 dnsIp9 54 www.koyercloud.com 217.160.0.194, 49684, 80 ONEANDONE-ASBrauerstrasse48DE Germany 27->54 56 www.europesettle.com 27->56 58 2 other IPs or domains 27->58 90 System process connects to network (likely due to code injection or exploit) 27->90 37 chkdsk.exe 27->37         started        40 WWAHost.exe 27->40         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 37->76 78 Maps a DLL or memory area into another process 37->78 80 Tries to detect virtualization through RDTSC time measurements 37->80 42 cmd.exe 1 37->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 10:08:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73uaixbatwp3g7ahh6obt747zw5tkvwy3d7zskjmiumw27o2yb3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3de41e010beb4ede03eb2ef87e943b3a75402a3c13ca2033e1032ac160363768
Formbook
683ab6fac70b21445c49dee8ce6cd8fef51c56896a24dfabe73b61fb0c12e83f
Formbook
70b830ed6d86b863393d82e8194fc197bb516c7ff7a48d5dca1a3eeb33bb3da5
Formbook
82287d425e3528bdb713315c73ebc54c33b375eb84a0bacd27166ed9a44109c4
Formbook
aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15
Formbook
c55f567dcb05208ea1fa8c6647ffc90d6ad7987faff6a2738aeecfdcd57b7ed5
Formbook
c61f9a6ae0d938b01eed42453cdd185dcec2efb4aa80fb59530e9409edc660dc
Formbook
e4887fdbdf3a4de9f3a9a244620a9a4f54de7e9a4be8b942df7c46c4cd93d366
Formbook
f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d
Formbook
+ 2'924 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md05 rat spyware stealer trojan
Link:
https://tria.ge/reports/230517-n31jtsdh9s/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Unpacked files
SH256 hash:
5d2f53b5972e96a7645fcf3bcb9b595a2f274d4154523b6052a3264b04409a50
MD5 hash:
18a503def10488a85c8db746566b294a
SHA1 hash:
1372f1ac63e6a80bc86695070b1a577846527729
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
Parent samples :
fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
1950034453da28649135d35016d5ab7ee791cd4bbbc1e4a72f7c56ce3aa9dd9a
312e247299af8e8376125bc4c6b43a6fd88315939b29ae507c5eea62fc26f567
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
423562e381586b1c4169d9c3c00014ef14c69bc546897a47ad7a301ac6c7c3c1
b2c1a9091f518029dbac23fab825be576244e2b8d07a82fea5b93778072dd6c7
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
fe0ef478ad287134030cae42f56f01cef4d435f8548805283314a79c59af7cb1
MD5 hash:
efaf27eed465acc737653d03bc1eecce
SHA1 hash:
8642f94ebb60f26ab81f6f28f96696a5dffa3020
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
SH256 hash:
bd164f324179a08638b04317fb1cbc4b98cd46c2cb9e5dc6bcb8265e10b537eb
MD5 hash:
17a00a416b554b1a053df41110d03583
SHA1 hash:
4bf468461f1a3fc0d3a3a6af094253f27f6961ea
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
SH256 hash:
81d3b893aad0def2fc419f00eacab146e9bc389c261bab03416ebd5155ca68eb
MD5 hash:
c9f0b8319c7ca450341379fc83a29a71
SHA1 hash:
26dbd09bb76b06cad76d1076f7a38892d4cb37d9
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
SH256 hash:
fee8045c209d9fb37c073f9c19ff9fcdbb3556d8d8ff99292c45196d7ddac076
MD5 hash:
496eab3a82d2d61b6e37d01fa0de0277
SHA1 hash:
6d8ea236ffdc9054f7b52a189d19d829af0eebd2
Link:
https://www.unpac.me/results/67cb678e-f51f-43f7-8c1a-8678d3fbddd8/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fee8045c209d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/390696/

Comments