MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be
SHA3-384 hash: 47087973c6fd994182486db05ae2497b50cb9dc50174b13563774d327d1ae174ce33a2681b6dcd53726b1f512b90054c
SHA1 hash: 22cbf0f495a613c15c90515b15fb25689dd84eec
MD5 hash: 68f7eb61b8346983d52036c258340ff4
humanhash: moon-cat-stairway-single
File name:Quote order,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:418'512 bytes
First seen:2022-02-02 09:16:37 UTC
Last seen:2022-02-02 20:16:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:xw5YZvRaXI8HNcDvllosZ95dXXfYqONFXZ+nR+Ap3GUsVmu0rN10m8eUKA9PTuli:1YXI8wllDXvYVJ+nRzxGAL0deU5NuiOQ
Threatray 13'029 similar samples on MalwareBazaar
TLSH T17194BED2D3818CB9F82E4B3250B69C28495B7D6EE9F4A52F5A4DB12527B31C300F6D4B
File icon (PE):PE icon
dhash icon c392921696e80303 (1 x Formbook)
Reporter madjack_red
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229906/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fa4c1118d1bfdde4ea769d/reports/5c7a5dcc-a1da-4862-85f5-d0f1131d3cca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RaRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f088ea2d-e552-4910-84f7-ae960f39cf5b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932295
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be/
Threat name:
Win32.Backdoor.Gnutler
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 09:17:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 43 (25.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aaycsnqs4fba2pmxtynor2zcftelzv7dk7q6lqgdciogegh2gw7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec
Formbook
6e025a1d72e2abfb9c0fb6c945d3fcdbe2124c5d68d8f5fb09b8389bc30f799e
Formbook
7930bf3f1be9acdf429e2433aa7d0c36985d9a97e580571fee1ffe8cbc0d8f5a
Formbook
99e25501d1c736865e766fe4e347cda8817f4005be1d7b0c336451b89be71ed2
Formbook
9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494
Formbook
a00b8665cf484b38e9d12d40208001acd1b890250be4bbcc78807eeedf6c408d
Formbook
a5445168b24e211aa5df098ed4be983c8d57f935610638e466bdc6c98065effb
Formbook
c4d47153405e6371ce64b331bed9178e45c5f54bfba505375d6d8918e68216b9
Formbook
d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
Formbook
d16da4e6a63f26601dd3c961f31708db79be1aead7cf3834fafa47095b1a45a6
Formbook
+ 13'019 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
856279abaf4ef54e6fa834a0f9551ca3cb4c555fe2d36cfa16d9b09e96c87d5c
MD5 hash:
e9233722f4fb0577be6db16d201f7cb4
SHA1 hash:
4e985042d952ec4d87e138c58cab46cb2330a705
Link:
https://www.unpac.me/results/f8f64bec-368c-4f12-9313-be640d829cdb/
SH256 hash:
0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be
MD5 hash:
68f7eb61b8346983d52036c258340ff4
SHA1 hash:
22cbf0f495a613c15c90515b15fb25689dd84eec
Link:
https://www.unpac.me/results/f8f64bec-368c-4f12-9313-be640d829cdb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229906/

Comments