MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77
SHA3-384 hash:	59dde07cc02e146e8c6cfc5bb4896031a9c8072e8efa0071a03d6c6c6b222679185cf05354f10fb27f4f93af9e4f565d
SHA1 hash:	b53a0742f4d2741093a661a6187df508fb564dfe
MD5 hash:	889a888a4fc57ccc48c97ae683571bb8
humanhash:	yellow-georgia-bluebird-texas
File name:	889a888a4fc57ccc48c97ae683571bb8.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	279'000 bytes
First seen:	2022-04-14 11:25:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	6144:zjgyHNwgPrQX4+2kZFr+0xXCLQVKuVlNEsMNh:oy+gPEX4+P7rZkuKuVlqso
Threatray	15'079 similar samples on MalwareBazaar
TLSH	T18A5412AA3AD2E8FBF01647BB1BF76621F3309B09617016471FC06FB54D1C4D2AE19166
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

889a888a4fc57ccc48c97ae683571bb8.exe

Verdict:

Malicious activity

Analysis date:

2022-04-14 11:40:51 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/2e3b8a43-4fde-4e8e-a3e5-19562ed58302

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/263695/

Detection(s):

Win.Trojan.Injectorx-9944056-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Searching for synchronization primitives

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13859/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/625804d6482f2f41caada7f8/reports/c53f6664-e0ba-4b62-a6ae-53d2702bcc53/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/408cbcf0-974f-484a-8c7a-fd025edf3bb6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/976783

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-13 14:39:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

209f77f7c06469c75125d639bdca79aa1751e1d76a7288d349f113f9c75b7da4

Formbook

5cef577cfd13f14d2c7468515dcd2da6bdbcbfe9e6778bf2dbf4ee212f273372

Formbook

91d99c65d090258a349298db78014461d0461e916733b3be3247410e05c31d0d

Formbook

d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720

Formbook

faff2bfbf22cd4f7d3d79ae04fbff8db10e9e0c5416dd27644f5bcb0d5dfd98c

Formbook

fc0298b6968720affc88ee57d037699606f5bdeb5d6d47db892c4fec474c062d

Formbook

+ 15'069 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:ud5f loader rat suricata

Link:

https://tria.ge/reports/220414-nke56sbhdr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

cf67ed89b1ad5002a948232de75f9cc28bc8dab6eb609a93ef254557ca4a5a48

MD5 hash:

20d4c91137cd70ee101d7c25274cceff

SHA1 hash:

37f85eee3785fc323de9546f3f1034c80fc24ef0

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/164ae942-8dde-4ac4-8762-87c5130b7e55/

Parent samples :

5cef577cfd13f14d2c7468515dcd2da6bdbcbfe9e6778bf2dbf4ee212f273372
fc0298b6968720affc88ee57d037699606f5bdeb5d6d47db892c4fec474c062d
44c1010aaaf8086dc6358f391f6d957057246eb0e6313b40a05a80e2ec9ef9a9
91d99c65d090258a349298db78014461d0461e916733b3be3247410e05c31d0d
a8bbd4ca2516a674b7d8b3b75cdd35f939af1cb503ea3eac66493e3f74984f1b
1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77
434655800ff8d745df2462881f0fe044f2af72512217dd531beffbfea0e2b1a6
9e5adcaacfb1ac132bda2322f07bea8a6e8520fbaaa2db812cb8ad6bb6c49512

SH256 hash:

e645d32049f5106c4c7d472ee61162ef6fec4306f63308b17fc3c32750e70645

MD5 hash:

aecbe2a5219b401eab9c1a091bef2f27

SHA1 hash:

474c2ca79194d05e26d71da13aa04a720f7c67a0

Link:

https://www.unpac.me/results/164ae942-8dde-4ac4-8762-87c5130b7e55/

SH256 hash:

1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77

MD5 hash:

889a888a4fc57ccc48c97ae683571bb8

SHA1 hash:

b53a0742f4d2741093a661a6187df508fb564dfe

Link:

https://www.unpac.me/results/164ae942-8dde-4ac4-8762-87c5130b7e55/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a852a9f9db5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/1a852a9f9db5ed1241ddddf3c62f2d258754ffdf8df9a53bfb43da779f8faf77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research