MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947
SHA3-384 hash:	2ed9ff72e78bebf03acf3ad7540e72d352f96e4faa9afdfd7e17cf328a0c4ad5fc4e801cc7d0e7a28d79677055f422a9
SHA1 hash:	dc1a7b697d898f801cd24199fc4691717c39e8f0
MD5 hash:	5fcbfeae2b818e9eab95723a87460401
humanhash:	summer-grey-september-yankee
File name:	5fcbfeae2b818e9eab95723a87460401.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	648'704 bytes
First seen:	2021-08-17 14:18:48 UTC
Last seen:	2021-08-17 16:52:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ff42c22be7db6fd997a1f31962592e30 (2 x Formbook)
ssdeep	12288:/U/Rmv+TmAXNzNxECRygNVl/GYlqPPMbQ4Z6hg0t9VoQigW:/Yme9P58gl/GhPPU5cgyX2
Threatray	7'957 similar samples on MalwareBazaar
TLSH	T1B5D4F111BA57C9B1C8A302B105F4D721156CBC7307A44DCB7FA84F6DABB16C0D6B1AAB
dhash icon	e88f080c0c088be8 (5 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO20210817.xlsx

Verdict:

Malicious activity

Analysis date:

2021-08-17 13:42:06 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 trojan formbook stealer

Link:

https://app.any.run/tasks/67ae3044-c532-46a6-8275-6597f65b2587

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180104/

Detection(s):

SecuriteInfo.com.Variant.Zusy.397809.31956.30886.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d511822a-749e-49ba-b9c5-ff2a025f6f57

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834418

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2021-08-17 13:45:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekr4zxvzvzfrszdbzw4bzck25ci6efe26a7ejnwoq3bkdpygffdq._file

Verdict:

malicious

Label(s):

formbook

Formbook

1877d5ba06d098d55f491aae3470afa36b839569dcf7b17226ae81c4f27895bd

Formbook

49418af33201289e66136b482386db29a68e32c689f0b625eed3699b8bb45940

Formbook

497d83f4debdbc49d2cfb27433de383cd4aac3061bde01e4799d0274a3ef5615

Formbook

66e06710b095c687448e0b08240a99f84dfbfc24882a2c8c9f5b165f58469d8f

Formbook

68fd922afd4b980e00af527f2e2d6bbeed59ec1508c089370d64081a5532f3f2

Formbook

72a002cd9cd49afe6f15c5dc2ad7e3f65471b21fd4331202183b87c7ebab7fe3

Formbook

c74a1ee1bb642221d811a5c617c175c09bca2cf5d6937f7981b9825eab5ef127

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

efd668c69a879c85b8fb4ffdae21c471ce300548ab17321b851d0089c7dfdf73

Formbook

+ 7'947 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210817-hcj29jphpa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

1c37cc78e75459ce51f3bd635057509c3bbfc4ec5dfe52eaf7cdf7cf22360798

MD5 hash:

dd54222b097d52dd28bf02e1a7be643d

SHA1 hash:

29679d48f8d16a0061a11a16adc4be7c94ba2f68

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5af9675b-bb2d-461c-ad4a-bd17f2f93421/

SH256 hash:

22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947

MD5 hash:

5fcbfeae2b818e9eab95723a87460401

SHA1 hash:

dc1a7b697d898f801cd24199fc4691717c39e8f0

Link:

https://www.unpac.me/results/5af9675b-bb2d-461c-ad4a-bd17f2f93421/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/22a3ccdeb9ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1541794/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/180104/

URLhaus

https://urlhaus.abuse.ch/url/1542482/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample