MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77
SHA3-384 hash: 73212fe087f2c91d5053650b9c9bab8f091267a80eea3fe2c0e423771fb7cac438549a54fdf7b3e2296de5fdafda0f42
SHA1 hash: 27d44d1724c70c81e04df01ae5e72c1e22488dda
MD5 hash: 4ef341e4b9c3229fe2281ddece402c22
humanhash: seventeen-failed-winner-oxygen
File name:4ef341e4b9c3229fe2281ddece402c22
Download: download sample
Signature Formbook
Create hunting rule
File size:292'759 bytes
First seen:2023-08-02 18:41:14 UTC
Last seen:2023-08-02 21:28:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:AYa6uorMGf7Qu02GM2K8vn6lsOqbG3rC8AJ9u1T:AYA2MM7dEvv6lszbG3rCS
Threatray 3'615 similar samples on MalwareBazaar
TLSH T164541281AFF84973D6A342B049B6A1846EB46C3A61A147479700FA6DFE727D09D4F323
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
433
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product speicifcation.xls
Verdict:
Malicious activity
Analysis date:
2023-08-02 15:38:12 UTC
Tags:
exploit cve-2017-11882 opendir loader stealer
Link:
https://app.any.run/tasks/f14be9cc-c29b-4132-a713-87475816b44e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439921/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29722.907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64caa37b94fb102ea38c1975/reports/342b796d-ebb9-4284-9d99-7e7b0ac707ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ac43fde-e385-4b68-9675-c3a63a9b7190
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284664
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77/
Threat name:
Win32.Trojan.GenShell
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 12:48:43 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aeafr4hu7xd2ir4b3fyemrpx3lbheuczqt365utem5isdgjmdn3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
216237da181e0a4fe72486534f4fb7694641a34508dce78b3d36acbd53bd9dba
Formbook
57201e9c5bef2bad5111f1989ec265dead9dd75adac4030201cdb1c7ec4deeff
Formbook
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
Formbook
5dc52da7b97835654bab2a3a39e93d412a50608bfd7dfccb87ff716c9aba6a37
Formbook
8e16e5a2e8da8e98b9caa9c492cd7fa65c4845102a8687309c4b40a921c91f11
Formbook
a03b8ae8131346298ef50cbd942d49bd024b8ac225467f960682600fc8ec1df4
Formbook
da9ce816092043ded7f22e3368f1beaa75577190bdab4da16936d7c1bf774e84
Formbook
e325cd7917bb15d2b08a1028083d1bcdbfe46cc42e272f603382cfc30ff2dd10
Formbook
f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
Formbook
+ 3'605 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230802-xcbmfsac6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
b761ef5485a0a77593c1ec8ae2865f42095364b22ef696eae53ac542a905ec18
MD5 hash:
977ec470473dc2830a37da82c466d5fb
SHA1 hash:
10fe4ce89b2bff7bee3e54b84140f4ade9d8a555
Link:
https://www.unpac.me/results/531a7028-26c4-4a01-a84e-3dbfc1c89995/
SH256 hash:
010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77
MD5 hash:
4ef341e4b9c3229fe2281ddece402c22
SHA1 hash:
27d44d1724c70c81e04df01ae5e72c1e22488dda
Link:
https://www.unpac.me/results/531a7028-26c4-4a01-a84e-3dbfc1c89995/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/010058f0f4fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2696223/
Cape
Cape
https://www.capesandbox.com/analysis/439921/

Comments


Avatar
zbet commented on 2023-08-02 18:41:15 UTC

url : hxxp://23.95.122.94/450/IB_iso.exe