MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee
SHA3-384 hash:	6ffe4c906b4e381b151b83246d13ab49117e7e5a7492ad145f9b06e30b68a5f22788e80b7b4bf0d8e41c42c0902a9aad
SHA1 hash:	4ef61cde816fa0c0369ee440badfd47fbffc89c5
MD5 hash:	e54c1b7dc4d3b31ace903a884289989f
humanhash:	georgia-blue-stream-autumn
File name:	ALLRFQINVOICE09876000090.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	394'663 bytes
First seen:	2023-09-29 06:46:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	12288:JnPdBL1hmusy9WyEXKibssmnaRXVo35dRvqk:VPdBLGucBZmEVpk
Threatray	14 similar samples on MalwareBazaar
TLSH	T12D842386CAF4C17ACF568DB488B7A7730FE5151200916B4B1B5D6A6DFCA3463CE3D2A0
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d0d6969696ccd4d6 (26 x SnakeKeylogger, 5 x RemcosRAT, 2 x Formbook)
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

284

Origin country :

PL

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451867/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.564.28640.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/651672e733582f234e06a0c7/reports/3a96ed9b-0590-4d64-b76c-f9545875305e/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19ad0a3a-7995-4fa0-ba14-70d7562743d7

Joe Sandbox FormBook, NSISDropper

Result

Threat name:

FormBook, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316203

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample has a suspicious name (potential lure to open the executable)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee/

ReversingLabs TitaniumCloud Win32.Trojan.FormBook

Threat name:

Win32.Trojan.FormBook

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-29 02:28:42 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

23 of 34 (67.65%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dl52vi562thr5j4xl4azwxvmd6xxl54mj5zhwmwt5ccct3de73xa._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

05fb5835fab54db2c4e8970a25126d4a57d9544a2e2671d3cc823fa63e115b5e

Formbook

1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f

Formbook

2a4b8b4d329377ee94fbb2fdb88afa277be98d82a1373adf5e43777833720265

Formbook

50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1

Formbook

b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97

Formbook

c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461

Formbook

f23c197a08df004d0646c8588e588d3ae064368a208f4679718c0c8995161362

Formbook

+ 4 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230929-hj7k5sgc5x/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UnpacMe 2

Unpacked files

SH256 hash:

d82ea56b875ab9d8269b8042c48117469324d3acb3aab1124b77d6325a690f65

MD5 hash:

57a5376f90e5cb894ed047c97b265d44

SHA1 hash:

3af7c26dd61f107225b87c1622511e39f6233cb9

Link:

https://www.unpac.me/results/3d4355da-f5be-4b75-aafb-a69082bddd56/

SH256 hash:

1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee

MD5 hash:

e54c1b7dc4d3b31ace903a884289989f

SHA1 hash:

4ef61cde816fa0c0369ee440badfd47fbffc89c5

Link:

https://www.unpac.me/results/3d4355da-f5be-4b75-aafb-a69082bddd56/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1afbaaa3bed4/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1afbaaa3bed4cf1ea7975f019b5eac1faf75f78c4f727b32d3e88429ec64feee

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451867/