MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
SHA3-384 hash: 37173a7dc8c6ba321350f33f3155a4763a83f9dfc7d2aa83f0d48564ed0acc76409024a7d13171c268b6a5cadc84859a
SHA1 hash: a2b995f1d93a78d61bf60d539d9abb7ea9e368fc
MD5 hash: 536fbc4f18bd12f9d50d7cfa782df5a9
humanhash: michigan-blue-lemon-apart
File name:536fbc4f18bd12f9d50d7cfa782df5a9.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:167'424 bytes
First seen:2022-04-06 16:31:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:iSp2X23gWkg/dAMFewY+DV9kiYWc2+Wm8K3z5bf:iLgXaMFRXB9kixc5D3d
Threatray 15'180 similar samples on MalwareBazaar
TLSH T1F5F39F32D642C071E2B241F5F26D1B7B883E0D353355A0AAE7E11AE56EE05E5F42931F
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261448/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL
Create hunting rule

Win.Malware.Formbook-9802749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook overlay packed
Link:
https://www.filescan.io/uploads/624dc0a5db9ca5cf842e58da/reports/303479ce-63b1-442f-86e5-3f578548f39c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b001851-d2e2-458a-b770-2604e7a0a42e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971693
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 604181 Sample: fxjB2RUXfq.exe Startdate: 06/04/2022 Architecture: WINDOWS Score: 100 24 www.photocpr.net 2->24 26 www.atelierdesignstudio.com 2->26 28 atelierdesignstudio.com 2->28 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 10 fxjB2RUXfq.exe 2->10         started        signatures3 process4 signatures5 50 Modifies the context of a thread in another process (thread injection) 10->50 52 Maps a DLL or memory area into another process 10->52 54 Sample uses process hollowing technique 10->54 56 2 other signatures 10->56 13 explorer.exe 10->13 injected process6 dnsIp7 30 aapnujunagadh.com 192.185.76.38, 49788, 80 UNIFIEDLAYER-AS-1US United States 13->30 32 domainparking-dnspod.cn 129.226.3.123, 49776, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 13->32 34 11 other IPs or domains 13->34 58 System process connects to network (likely due to code injection or exploit) 13->58 60 Performs DNS queries to domains with low reputation 13->60 17 msiexec.exe 13->17         started        signatures8 process9 signatures10 36 Self deletion via cmd delete 17->36 38 Modifies the context of a thread in another process (thread injection) 17->38 40 Maps a DLL or memory area into another process 17->40 20 cmd.exe 1 17->20         started        process11 process12 22 conhost.exe 20->22         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 16:32:13 UTC
File Type:
PE (Exe)
AV detection:
38 of 41 (92.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emvbn35oyr7g2t6i6uyy5woz2wazrwxpkgptbjozcr6tr4utmoga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2f47cecb0ac0c17ad38f1e8b65e4bbb7180d87d750ed7e93ce9fc5db11e5cae5
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
66ed20e609a1c10376f30415f4f2a03aa274fbdaaa12925dcc81ed74bfb7fdfa
Formbook
9cd0bbacb06bc4a961772ad5dac574736247fa7604116855118ecabb6926643b
Formbook
acafe0e95f56a3a9105873aa70599b60c7e05b99f68006c763b21d590cc03906
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
e3c2718738a6d4d07664a951dee401b2c4e9416ac6a989f6aa21c3564fdaf241
Formbook
e812adcd8f8470a1be64d92dafaebf717db1c45d58fe04a9160d88a468cf7e3c
Formbook
ea94995d23d53a98a949a242022cbd9bc5b7a4320c3fb6c045370b15704e4004
Formbook
+ 15'170 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:gedc rat
Link:
https://tria.ge/reports/220406-t1xytafcd7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
MD5 hash:
536fbc4f18bd12f9d50d7cfa782df5a9
SHA1 hash:
a2b995f1d93a78d61bf60d539d9abb7ea9e368fc
Detections:
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/bd245105-5eac-4414-90f4-2ad705c42919/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2134285/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/261448/

Comments