MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b
SHA3-384 hash:	b322f4904be4fb3808dbebaadf48b90f962f2549d5530f29efe48eb33f46875905506b0ecc274f1afe389413230254aa
SHA1 hash:	24568a1584a0abfdf66588e0d1925b051f9ed4c3
MD5 hash:	868e6e8caca1e526e17e825a267ad2a7
humanhash:	mockingbird-island-edward-montana
File name:	FACTURA095457890000.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	605'537 bytes
First seen:	2023-10-23 10:40:59 UTC
Last seen:	2023-10-23 11:51:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	12288:4nPd87SQzNMbu3z1iVO0/gSSJFquCn6ThFKECo4UpBnNz4v6q5d:QPdQiVOIgaRnCF9dLnNsvH5d
Threatray	59 similar samples on MalwareBazaar
TLSH	T103D4BF86F68082A9CC19A3B07932DE7107166D6AED74645E5BCC3E673FB79F30066843
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d4d4d4d4d4d4c4 (7 x RemcosRAT, 6 x AgentTesla, 1 x MassLogger)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

309

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN formbook

Malware family:

formbook

Alert

Create hunting rule

ID:

1

File name:

FACTURA095457890000.exe

Verdict:

Malicious activity

Analysis date:

2023-10-23 10:58:15 UTC

Tags:

formbook xloader stealer spyware

Link:

https://app.any.run/tasks/a8ca44d7-c768-41d5-a00c-d7001174e208

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.8811.8851.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/65364dc6e3768e7905c75554/reports/7647f470-1ebd-4e4e-897a-7dcfc5a24f2e/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96162798-3a3e-4e10-bff5-158add0f0ea0

Joe Sandbox FormBook, NSISDropper

Result

Threat name:

FormBook, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1330496

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Uses ipconfig to lookup or modify the Windows network settings

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

99%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b/

ReversingLabs TitaniumCloud Win32.Trojan.NSISInject

Threat name:

Win32.Trojan.NSISInject

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-28 19:52:59 UTC

AV detection:

18 of 23 (78.26%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=avnybppikw5pjzvd2iflt6n3aff7i4ls3gfoup6ufavk22tqvbnq._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

3bc486f0fe0705dc71bd7f103965c5708a878f908ed0ff11ab973af842805a80

Formbook

3e940bd501847e7bf60b525599626211d32f705d7c616584629a5dc0206bc52d

Formbook

4f7ee7b035490423edd7b7c641b2ac81c192252de8c5ab2e40375274a170d5fc

Formbook

541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a

Formbook

62d4746fe8cb8c1fbcc99e50e969a066ad33cd2901c8a870c4607996b28f26f8

Formbook

a915e631517c5b9eadd5062e2c12d33521950a2650d56e69f60ed0d783f35345

Formbook

bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9

Formbook

c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910

Formbook

f0831ec2522d7d8e085f88c8ead0df0478c75efe438e8449bab3f54553e47788

Formbook

+ 49 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231023-mq5gksfh5v/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

UnpacMe 2

Unpacked files

SH256 hash:

13f750d7d8dde4399c586f5b2d291c56427debd2e68b7234e5846b91c0e52a63

MD5 hash:

150cab7a6561d227e14f8443d6e5ba17

SHA1 hash:

9cff444568623db3d96c80fe0e39bd860f903f73

Link:

https://www.unpac.me/results/d3e1917f-e168-4641-8893-4e4dad6c7048/

SH256 hash:

055b80bde855baf4e6a3d20ab9f9bb014bf47172d98aea3fd4282aad6a70a85b

MD5 hash:

868e6e8caca1e526e17e825a267ad2a7

SHA1 hash:

24568a1584a0abfdf66588e0d1925b051f9ed4c3

Link:

https://www.unpac.me/results/d3e1917f-e168-4641-8893-4e4dad6c7048/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/055b80bde855/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.