MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66
SHA3-384 hash:	59c509ddd769ccfdd691f5cdea49468692cdf32214158eb49a28c9da2d458f730565af5be6e4d408507b6ad112e28411
SHA1 hash:	02e5d66ac9bd1aa3ebc583258d31b28f5d829a44
MD5 hash:	0af19372f870a129c6f5c3eaa205ceb3
humanhash:	oklahoma-butter-west-illinois
File name:	SecuriteInfo.com.W32.AIDetectNet.01.22816.2805
Download:	download sample
Signature	Formbook Create hunting rule
File size:	562'176 bytes
First seen:	2022-05-24 18:36:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rH7S1h1qN0JMgtS9QWeJiwDVpxEgCWeaCE4pMWEDZchj:rHFW8eJHzteaCEGEVcd
Threatray	15'715 similar samples on MalwareBazaar
TLSH	T1E4C41262B2B8171FE1B90BF9350D395153EAC45A5421E3A28D84D0FEE635B1ACAC2F53
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.22816.2805

Verdict:

Suspicious activity

Analysis date:

2022-05-24 23:09:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8f388137-ac70-4fe9-8483-e32462a980b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/274214/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/628d25b3054dcf0ecae8b90f/reports/5603dbec-9f96-4176-ac43-85a8ce25731c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/54e650f8-cbbf-4673-9b0e-fbef9e665e02

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1000949

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-24 18:08:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bvxx3byle7dndljttvoy7fsjcpfdqmcglljtxrezwzgagsmrxrta._file

Verdict:

malicious

Label(s):

formbook

Formbook

24760feea3c8f265f0af7e459844b8b793b6f572b890ce692a47cb6d6141a50a

Formbook

2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395

Formbook

2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226

Formbook

2fc25ed2ea287ae9de0ebfd976351b90cbce6059f91698b99ecb949cd2437056

Formbook

7c9b9fd316c451b92af97cb1c8caf087ab4ab69fbe9f8b79f2acc2757b52d6a0

Formbook

b0d8448b8f1001c389a1d64989666d531e4a82339d3f63c3156a078af86ebbcf

Formbook

f04f07bbeffe4e7ea71dabc192759db670f2407c8d46fd7f40ac91020f7161dc

Formbook

ffa56449f84c15094bd1d4c93fe2a6e472005df760d3b8af816d7b523fef7b65

Formbook

+ 15'705 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220524-w9fr1addg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

e8ad8f1198c2cbb1550a6da142a35c710da8ca71b30788b41da6932fb8714aca

MD5 hash:

c5709a6fac3e442fe7e21d6b55406ace

SHA1 hash:

b508a4e7c36715b0d325dc04951198b3d9efa4b8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/df038258-7dcb-43bc-9572-361a6d192ba6/

Parent samples :

0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66
5b39db4d27b6a3c5822a06632dedb65df333f7ab938433ed4761eaf88cebf4e8
03fa6bc991b15a3d5cd507673d1cccd0b0279315e9a04924d908a9520609a1c3
3d3f87ccf17f08c06cf2b27159f134cdbba6a97e0b127bac605a4ccb09aab01e
04ec2e85da90b75bc6e711cc8ec74b7a79e16722652d944ff9fef180f3bdebaa

SH256 hash:

24d97f98fd3e18b769dbfdee448e3ba94c5b8ae91ce999c50b4f5320fae86d2b

MD5 hash:

df11ea7070e3ec7f42970b2c9bd3e924

SHA1 hash:

d26b8f6a81f99777aa2835459f0b82993d5179eb

Link:

https://www.unpac.me/results/df038258-7dcb-43bc-9572-361a6d192ba6/

SH256 hash:

7fc3a061a6e1994477839381444ed4f983946612d0089e6831bd2bade175f9ca

MD5 hash:

748acb34a51e6c4974b38c39ae84f3fe

SHA1 hash:

89b81512a0111f8c4e43387fd26cc253b35fa07e

Link:

https://www.unpac.me/results/df038258-7dcb-43bc-9572-361a6d192ba6/

SH256 hash:

d4d978059b7aa0a473c8c0400554b738e6bf0457782b767251412d7eacf9104d

MD5 hash:

e5b6f22bc7875a0d7ffad0a6cc59742a

SHA1 hash:

25e3584a8fc8310d015a904ce2617e3c2bdbf498

Link:

https://www.unpac.me/results/df038258-7dcb-43bc-9572-361a6d192ba6/

SH256 hash:

0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66

MD5 hash:

0af19372f870a129c6f5c3eaa205ceb3

SHA1 hash:

02e5d66ac9bd1aa3ebc583258d31b28f5d829a44

Link:

https://www.unpac.me/results/df038258-7dcb-43bc-9572-361a6d192ba6/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0d6f7d870b27/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/0d6f7d870b27c6d1ad339d5d8f964913ca3830465ad33bc499b64c034991bc66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample