MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c
SHA3-384 hash:	8d4ccfdda744d2a32dec22e309ebc6ca128cb2fd360ea3371a85a88e4ceaf5ac17ed34ff4aa39678defab430d733af9f
SHA1 hash:	80bfd7c4a2560bade8d94295d1d9eb9e16c8bc2f
MD5 hash:	e465e82dbafd2a381badd7616f91f4ad
humanhash:	potato-fruit-maine-lithium
File name:	SecuriteInfo.com.W32.AutoIt.VB.gen.Eldorado.9018
Download:	download sample
Signature	Formbook Create hunting rule
File size:	771'584 bytes
First seen:	2022-09-28 12:07:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (73 x Formbook, 33 x Loki, 29 x Loda)
ssdeep	12288:ROv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiy8qINJhlqZSDmhAtd63dWpCXhKn1J:Rq5TfcdHj4fmbvJINltdTp9ky
TLSH	T1C8F4CFD7F90055F1EC3A90B3B63B88A527B7ACBEC1FC644228D92B0254E15729977C1B
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e8d4b2a2a2b2c4f0 (10 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

314

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314339/

Detection(s):

SecuriteInfo.com.W32.AutoIt.VB.gen.Eldorado.9018.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39729/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckNumberOfProcessor

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/6334392690cb824e9d9fa0a6/reports/9dd9c3f6-cd81-4be3-a2e2-7349d43fef31/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e687c17f-2674-49b2-82a3-79000bd31ca1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1079190

Signature

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

Found hidden mapped module (file has been removed from disk)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2022-09-28 09:14:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2rltyk4ytbqlriptblnngrfhrvldjuzndkb7rwpmxpf7cdbyv6a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/220928-paw7daghdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a506a009-3f27-41b5-8dd8-cc21bb63b73e

Unpacked files

SH256 hash:

6ff4bf0414e5586713172d5bf2c5950bc340d4e7e5281c808238ad4854eb4fa5

MD5 hash:

649c8087ff6984851e56db65bd3cc3aa

SHA1 hash:

8aa2a8b9fd0a6607c816095f01743173f6aadb41

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c8d3dc09-4d67-41c3-bbd4-49735c5f0f4e/

Parent samples :

0606bdc61d15a75b3b5097cf82980bdba56af81b30af2a12f32beb1307be5791
043470f6b0a88a5fe3189b7dffa5f6e8bc5ebe639c9967049763c2387465060f
97b7577f2c05a98b53165ea7e9c90735e982332f6007b2dcdd47ed85ebd72ce2
0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce
23d2e10a52afae3224130b631f0e0642100346ebf9b06025326d78e5d43bb21c
885d3612f1d5f7b8067b8686d563985039f9adfc335950136ec6f42f77580d34
d5881bb367b8481bd0c089d687456d98073f61f47dd28f23fb70ca75cf888bd4
16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c
3eacbab11c9f00e94b06ad4feaf37264839faaddb10f611207ae44a460b5b6f6
4bfd8737e902286e9241b79d3099f85744194fa0c9a330ebe51db5c3e2e747a6
c3bceaed735d92dcc15f95ed452a184236e03cf317977ecb311c208b9f27451a
1eee0709877d020629b31a21104d218743150062a41db240b505f876963ae7aa
b1b75a5bc8ec385bb74f35172c1701e08ac29872653fc2f588873907650a1062

SH256 hash:

16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c

MD5 hash:

e465e82dbafd2a381badd7616f91f4ad

SHA1 hash:

80bfd7c4a2560bade8d94295d1d9eb9e16c8bc2f

Link:

https://www.unpac.me/results/c8d3dc09-4d67-41c3-bbd4-49735c5f0f4e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/16a2b9e15cc4c305c50f9856d69a253c6ab1a69968d41fc6cf65de5f8861c57c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314339/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample