MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548
SHA3-384 hash:	3aafde9fe33e1e05c704bd611563380dd7ea03a10d13fb2f10009ddc3143dbd3eb70af440ac757ff62732626e5577049
SHA1 hash:	f5881870b7fdebdad9b760f12b8875cd2fa0be21
MD5 hash:	c23297d589c6a9806eb81019b2c9eb3b
humanhash:	alaska-zulu-music-river
File name:	c23297d589c6a9806eb81019b2c9eb3b.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	464'937 bytes
First seen:	2022-01-31 12:19:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:BwsjoUlDLJDyv+tNB3xn7W8N6UlE1vYZ0KLEfpvoC9c5ENOHSLtyk7aHbvIxCY:qv+tNB3xezXc5Ee3k7wbvwZ
Threatray	13'081 similar samples on MalwareBazaar
TLSH	T14CA49DA52B96C803F3805578D055F7ACC97193F86D7BC603FEB638AC7228796AC1D252
File icon (PE):
dhash icon	f0d4aae84d0f96f0 (1 x Formbook, 1 x a310Logger)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c23297d589c6a9806eb81019b2c9eb3b.exe

Verdict:

Malicious activity

Analysis date:

2022-01-31 12:30:24 UTC

Tags:

installer

Link:

https://app.any.run/tasks/4968f77a-1e12-47c9-8fd1-7c2a87c50453

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/228431/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f7d400d7fd65ae55fc81b4/reports/0fe33364-fdfa-43b6-a7e7-dd9352722aaf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b738c98-f850-42ef-b78d-f999e57856a6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930805

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548/

Threat name:

Win32.Trojan.Risis

Status:

Malicious

First seen:

2022-01-31 12:20:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 43 (32.56%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f

Formbook

15f9ae45222e5eb82ac39303b8f9b852399bbf3ea54c3f7ff7d04e76756bc43f

Formbook

4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95

Formbook

6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0

Formbook

779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e

Formbook

a1bf6120b566e76d3df3b722c1a517fe69b74e670d70bde100c4cf04e3ee947e

Formbook

a1d8420052bbdcaf3d318427bfe57edf5cc330fb14aaa5f4a597fac220c2a6de

Formbook

a632daf4953367bf3024b3e84d13b5beb03d77719cca10b155355e474b3173e3

Formbook

cfdf477d386cab73129ac775a953d693466176d4d4854d06d580125a8f20f9e6

Formbook

+ 13'071 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:pnug loader persistence rat

Link:

https://tria.ge/reports/220131-phstxshbcp/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Sets service image path in registry

Xloader Payload

Xloader

Unpacked files

SH256 hash:

1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548

MD5 hash:

c23297d589c6a9806eb81019b2c9eb3b

SHA1 hash:

f5881870b7fdebdad9b760f12b8875cd2fa0be21

Link:

https://www.unpac.me/results/c65e3ecd-4296-4569-9f43-649aec53b267/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 1b77ac028b4a0c0c9262c945bb5480ec1bbfa3503b547fd11d34735d87245548

(this sample)

Cape

https://www.capesandbox.com/analysis/228431/

URLhaus

https://urlhaus.abuse.ch/url/1995426/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample