MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 171bb4112c7a42e6ba98bb14516a15dc2a016f970e00e0d64224b5f76ebc6a77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	171bb4112c7a42e6ba98bb14516a15dc2a016f970e00e0d64224b5f76ebc6a77
SHA3-384 hash:	8dbea7ba5d6fc7729a3275ec9097d32d7ba11fe3b39928afeecc9f06a91c3c95477ace1764ec1a8a227254af21278119
SHA1 hash:	47bc31ed821195143f26d253277ef602bfe45f80
MD5 hash:	1d9edf46b3e400855655d7c1b4ca7f70
humanhash:	hawaii-magazine-venus-venus
File name:	PO8.jpeg.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	295'381 bytes
First seen:	2020-04-27 14:08:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep	6144:dPCganNwxeqEu9zCdpVLloRyhuDh0NzNfe/dfKVZq:DanKfEuGrRKyuIw/dfX
Threatray	5'548 similar samples on MalwareBazaar
TLSH	8754123A62F0CC67C495017A193E4B7A7FBAD862494C1B0B27D43F4E3937612972C5BA
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-27 01:37:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 31 (70.97%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4n3iejmpjbonouyxmkfc2qv3qvac34xbyaobvsces27o3v4nj3q._file

Verdict:

malicious

Label(s):

avemaria

emotet

Formbook

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d

Formbook

4601b57fb9acf7117686773d8616efcac498591a6b650acc9a4f96871e9694b5

Formbook

52ea3c1f51eb3a8920e2895ebe7d54ed9b010407775434da9c47fdeceae7af84

Formbook

6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989

Formbook

84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8

Formbook

8bcdcd3db1dd3688101b18e4c090194ce7ac4e96ef206e56d5595e467cf25e46

Formbook

a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b

Formbook

b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3

Formbook

dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9

Formbook

+ 5'538 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::SetFileSecurityA
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample