MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26
SHA3-384 hash: 574c63cc94be92defdd3d9db13487329533bfd47cc3d023d89387a74c4bb1cb2e96f0fab872287392c725c1b8c6657a3
SHA1 hash: 082edf778cbf0a7af0994d2a0b7d397b6a820f33
MD5 hash: 2d435a73a52785b8912a447e4e205e50
humanhash: foxtrot-triple-failed-spring
File name:SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469
Download: download sample
Signature Formbook
Create hunting rule
File size:304'128 bytes
First seen:2021-01-21 10:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 52b6f9925181b207b99c579c99e10d60 (4 x Loki, 2 x Formbook, 2 x RemcosRAT)
ssdeep 6144:i0UOVjp2qn9FrB/gBzCgGb/2fEMaejKHwqXRcEmqzoyybe9AYQotupuW8dV:i0tjXn9FAugGuEMaejOlRcEXoy+oK8dV
Threatray 3'611 similar samples on MalwareBazaar
TLSH FD54E02979C0D032C4961170897997F2DE79B8322A3924C7F39C89399F74BC1A27E65F
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO81105083.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-21 06:30:10 UTC
Tags:
encrypted exploit CVE-2017-11882 trojan formbook stealer
Link:
https://app.any.run/tasks/4ae26f73-f9b2-495c-acd5-9f594a1f5808

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113259/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/587088
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-21 07:12:08 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
220ab940326b10e217ed23f4806edd06fac3cf52cbd3c8863863eac6893b02ea
Formbook
5cd75052c82b5ff0cc1261075c4fdb060c21062c72525508cbb75e44683f6d0b
Formbook
9763034a6f6e93c907471ca361e619f5fe5ec0b3aeb301cd046bd877c62aaea7
Formbook
b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319
Formbook
bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
Formbook
c2aa09fda8ed6089db384994dc58fe814ff5a725ea05cd1ccca910b0d901301a
Formbook
ceb2632fac30996ac58a50455d968873321f7a18972db02e9535b485a3b0e2f7
Formbook
f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
Formbook
f73c1a2549b119a5de3964cdcbbdbefbaca205e1f149b4d77688a92285b4d20b
Formbook
feb7ef6e6c842b97b92c82fdba89499c252cc9414874efc7fafae8389dbf0538
Formbook
+ 3'601 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210121-ppd4fgdzzj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.chuanxingtong.com/j5an/
Unpacked files
SH256 hash:
1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26
MD5 hash:
2d435a73a52785b8912a447e4e205e50
SHA1 hash:
082edf778cbf0a7af0994d2a0b7d397b6a820f33
Link:
https://www.unpac.me/results/286aecda-fde9-442f-a369-c5a7e0432214/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/972964/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113259/

Comments