MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments 1

SHA256 hash:	0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2
SHA3-384 hash:	098042460dc157b2e62e55715c0d6905ccd777a2757a55831b0b8b4cb2b5f541184166bddeb4e4f9981db81df0fa828d
SHA1 hash:	020f0e12df96a129d375a43762447459fdc33930
MD5 hash:	eb4ec13e49edaa7b70956780c01e766a
humanhash:	kitten-cold-snake-north
File name:	eb4ec13e49edaa7b70956780c01e766a
Download:	download sample
Signature	Formbook Create hunting rule
File size:	285'423 bytes
First seen:	2023-06-23 11:16:51 UTC
Last seen:	2023-06-23 11:34:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:gYa6GTqdrqDz0kZ/rSgWOwpCD3vKuzptEXXlypu:gYUTpDz00zSgJLGGcE8
Threatray	2'396 similar samples on MalwareBazaar
TLSH	T19C54021576E5C0A3E9A206320F36D6FEAEE5ED12DC904A0737D03F0F7832662895D792
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0aaaa2b0303aad0 (34 x Formbook, 21 x AveMariaRAT, 18 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eb4ec13e49edaa7b70956780c01e766a

Verdict:

Suspicious activity

Analysis date:

2023-06-23 11:17:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d487cd97-ab89-4ba3-988e-3d36db43666e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/402138/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.22782.22874.2902.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/92415/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/64957f2e20eac562407a1394/reports/a556465f-f3ff-4296-b17d-9e3bd503df43/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d6ec99e-9389-4bd2-aa21-50e0831a2370

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1260392

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-06-23 11:17:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bpcpo37jq3y3u3gjq5zkvhw6spyernu5ybtdxri2xhqr4q3fi2ra._file

Verdict:

malicious

Label(s):

formbook

Formbook

33e3b47eae5dd2c0931b64dab1fa56868276ee8cadf3cda23e4310e7e640703f

Formbook

4431648599d5c8d9ed6324d5cfaccf83daaecf91b9637b1cf308b8004ca43757

Formbook

9b11fa3cfa0acdd01be3595fba22f7b38c333e7ec8da88228c971735913bb6f7

Formbook

aaaf94eb867796b731871a3503f707d089aa3103d7fc388fc696997b343c4dda

Formbook

ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3

Formbook

afbccae6537d0602edbc99ef03ec8b89ec23df241079f949c0b8a0aa6f9aa8f0

Formbook

b4ae90babbf85fb137c173dbc6a8791c9b40a7d9b32ab70ef81284736c683710

Formbook

be0791f3e56382436345ae0413249be5e66c0a593afc1c83ab57d8bbae61d4ba

Formbook

e57304555042d5835094d3ee4cdbcfc713e089f1af6b6764c76673a43c34c971

Formbook

+ 2'386 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:k2l0 rat spyware stealer trojan

Link:

https://tria.ge/reports/230623-ndn5haed32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

477a1f71bf8206cbd93026db26fab2d7bf859b6877f9bfd0ce383eabf21e26b0

MD5 hash:

efe63188226fe962108134c296c2b7ee

SHA1 hash:

0bc8d9f11428c7ac0d17971d05fab85b4ae1593b

Link:

https://www.unpac.me/results/dc05428b-32b1-4d12-88a2-f5cec02711cb/

SH256 hash:

0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2

MD5 hash:

eb4ec13e49edaa7b70956780c01e766a

SHA1 hash:

020f0e12df96a129d375a43762447459fdc33930

Link:

https://www.unpac.me/results/dc05428b-32b1-4d12-88a2-f5cec02711cb/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0bc4f76fe986/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0bc4f76fe986f1ba6cc98772aa9ede93f048b69dc0663bc51ab9e11e436546a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.