MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68
SHA3-384 hash:	5dcb99f2169e7b40f17da6fe5e0c92e046f9244d1516667c51fb16badbf31f81be194fa6a657fa6d7a0405eb5a53aa14
SHA1 hash:	87672f68e5b9cc68d1536a4ee79ec129078addf1
MD5 hash:	a76b1f8a9cfef5b88c9d095ef7578017
humanhash:	april-mockingbird-uncle-bakerloo
File name:	a76b1f8a9cfef5b88c9d095ef7578017
Download:	download sample
Signature	Formbook Create hunting rule
File size:	167'424 bytes
First seen:	2022-03-01 09:33:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:4aJkd2hj8lzxEAwMbg/Mz92OgLNcj7S4g+WvIXTgSLSMPpct:4JdRcUeMz83LNcj7fg+RTVSWct
Threatray	14'060 similar samples on MalwareBazaar
TLSH	T1F3F38E32D641C031E2A252F5B26D1B7B883E0D343755A0AAE3E61AE56EE05E5F43D31F
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/245674/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Win.Malware.Formbook-9802749-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

formbook overlay packed

Link:

https://www.filescan.io/uploads/621de88e0cd58dbd9259c129/reports/656c60b1-14c6-4fec-a8ea-3b3f55df254c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b0743993-572e-40a3-8d83-5c0b355de92c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948017

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-01 09:34:11 UTC

File Type:

PE (Exe)

AV detection:

27 of 27 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aas6jgztuae4onrluiq47pb6iotpx5mhbrhlipgt5kfhz4u335ua._file

Verdict:

malicious

Label(s):

formbook

Formbook

190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea

Formbook

208e7ad8dab4aee54a4d2a5e7be5f2c333855856fa4a433461c1ef55b101ec0a

Formbook

28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1

Formbook

53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333

Formbook

6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf

Formbook

9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908

Formbook

9de751536a55984df4e0686ff47bbe5553906d4b2e2559d7afc019fcb7d4eb4a

Formbook

acf40f9d3eea74324291c55f5ab8d3678e0dcc085581bdd9cf66897f4324bc3c

Formbook

+ 14'050 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:b6zn rat

Link:

https://tria.ge/reports/220301-ljr28sbacp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68

MD5 hash:

a76b1f8a9cfef5b88c9d095ef7578017

SHA1 hash:

87672f68e5b9cc68d1536a4ee79ec129078addf1

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/66fd0c4c-e64e-443e-8bda-c47235b42bd5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0025e49b33a009c7362ba221cfbc3e43a6fbf5870c4eb43cd3ea8a7cf29bdf68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research