MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0
SHA3-384 hash: 44ac10bf7fa587fb4c8976ef4f2bd11fe52d7108274df13cd67915dc6fac7394b2b3b8f0c9bf70e58bfd4ae56e7d071b
SHA1 hash: 87b3e4f8a5381d3f503fe67830bf59e441d2ec2e
MD5 hash: 94f7e1a8953d811f3d5b1a53a609249f
humanhash: eight-delaware-diet-network
File name:94f7e1a8953d811f3d5b1a53a609249f
Download: download sample
Signature Formbook
Create hunting rule
File size:310'424 bytes
First seen:2022-03-03 04:12:16 UTC
Last seen:2022-03-03 05:41:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGin3taloxq17Bd9i4ApL2/vaxy4XBdebMzirsGErWXxukZiZSQ/:BaL9iC/vaQ4XBEEirsGG0x3OSc
Threatray 13'784 similar samples on MalwareBazaar
TLSH T1896423DB26D405B3D32201304477F7F7E7BA964C8E219B4B8B985EFE6B92653817C082
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246655/
Detection(s):
SecuriteInfo.com.generic.ml.31121.19432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62204052dfdfa8501c7adedd/reports/61050278-d4f6-4b0a-aae1-1e2c16f3800a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55875545-27ba-41d1-90e7-79094014b829
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/949650
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 01:40:10 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be
Formbook
0736da1f42878cc4630f0b855fb638e76989fc53513fac93061cfdd49f9c94cf
Formbook
0b32f79b8abe4a232193f819dccfa47a922353e961d37d1becd35171c2b04a89
Formbook
0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
Formbook
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
5cd0836a13fa804b548a110f168438da7dffd9c4fb5cc0036241f57bd7c5954d
Formbook
99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b
Formbook
b5f2c53261cde3d73cdf723733cd27caed78e63aa1e878c52e461156838d35af
Formbook
d07fe0d534c8cff1f0f104f5036d547fbf837671f3de78f00a88caf0cd5e4451
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 13'774 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:j37e rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220303-es4n3aahen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0
MD5 hash:
94f7e1a8953d811f3d5b1a53a609249f
SHA1 hash:
87b3e4f8a5381d3f503fe67830bf59e441d2ec2e
Link:
https://www.unpac.me/results/5d40cbc8-ea42-453e-9474-6d2b7f5d6974/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0dd6c6526e7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0dd6c6526e7ccdabf1ee6ceae3d38018d78288e543604f67995300f23eebc4b0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072002/
Cape
Cape
https://www.capesandbox.com/analysis/246655/

Comments


Avatar
zbet commented on 2022-03-03 04:12:17 UTC

url : hxxp://192.210.149.28/40/vbc.exe