MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545
SHA3-384 hash: d25dedfcbc1d33396fd81884ec2507f9b1d4376903e715df3754a842de4f5232429fd97565c0e578a936210f690ad21f
SHA1 hash: c67b7cd2b85b55e4329009d272c4e12d2b9f455e
MD5 hash: e871d5d07364a929ba833087560ed693
humanhash: bulldog-magnesium-july-five
File name:neuer Katalog2022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'082'880 bytes
First seen:2022-02-03 08:37:40 UTC
Last seen:2022-02-03 11:59:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:wDI6HI5lWE7jsh7+bXZ9vtkTOlUtNyfrGaREYx8tmP:wDI6HI7nCqiKKefrGaTx0m
Threatray 12'904 similar samples on MalwareBazaar
TLSH T13E3512C2F6C5E5A5C81B0AFAE83ADD621727BE6AD424811F3449761B6CF33431863D1B
File icon (PE):PE icon
dhash icon d4ccc8c8ccc4d0dc (5 x Formbook, 2 x NanoCore)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/231810/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.94.30255.11610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Launching a process
Сreating synchronization primitives
DNS request
Creating a file
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe packed
Link:
https://www.filescan.io/uploads/61fb947ea0f6a794b336615e/reports/1524af07-9c30-45f8-b6ba-fb6c73625305/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7723e058-5d61-4c17-bb7c-ec8fb3c84fa7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933349
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 08:38:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6qbl7bu2dregbypqa2a2fuswwss26aggkgfq7mpzmktyie22vcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
41a329a29ef2b80383739356d137646509dd5fcc91c40aacff48930d6ff6c407
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 12'894 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:iepw loader rat suricata
Link:
https://tria.ge/reports/220203-kjs4vsefdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
3f6c8c5678a232cbc4b19382ce509695644f8507ab6651ce36b78f4ca83bd2cf
MD5 hash:
edac7f44d6d3b229623eb30cb1715f8f
SHA1 hash:
e439f69c0e77e8f8ce9431b4075d0cb6d2a4b425
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/039d235e-ec00-44fa-af26-311a3a64285f/
SH256 hash:
f53c0c7809ce210f7d411ac27420c6a2684ea2a06928ec506a0eb458914e0253
MD5 hash:
5c91c315821f97c8d648c213dff627f0
SHA1 hash:
e86e3e04f1cfda7bce461bb899a0c8e7c4061fbc
Link:
https://www.unpac.me/results/039d235e-ec00-44fa-af26-311a3a64285f/
SH256 hash:
f1663ec0af5ff9a08a1a13d408c3a266ab9ab95c7265362f21f22b224b03a75e
MD5 hash:
576313817b18c7f5919e7e4a659af966
SHA1 hash:
e22b3848ed44cdf842b11a4dc647c2ab9c1aa571
Link:
https://www.unpac.me/results/039d235e-ec00-44fa-af26-311a3a64285f/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/039d235e-ec00-44fa-af26-311a3a64285f/
SH256 hash:
17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545
MD5 hash:
e871d5d07364a929ba833087560ed693
SHA1 hash:
c67b7cd2b85b55e4329009d272c4e12d2b9f455e
Link:
https://www.unpac.me/results/039d235e-ec00-44fa-af26-311a3a64285f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17a015fc34d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 17a015fc34d0e243070f80340d1692b5a52d7806328c587d8fcb153c209ad545

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/231810/

Comments