MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f
SHA3-384 hash: 324bb25da0b70a750642be961598d36dd07213cdaa105333f45e9bd45f7d4866ce40ac58d84e72137b84a7af625d3cad
SHA1 hash: 18a99d9966c8fd76d0fe73df7708d77e960f529c
MD5 hash: 647a6ff7a291048f4f0f8c4e206d1238
humanhash: xray-lamp-network-bluebird
File name:647a6ff7a291048f4f0f8c4e206d1238.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:301'978 bytes
First seen:2021-11-24 18:39:41 UTC
Last seen:2021-11-24 21:06:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiF/axrIf9+eeQpdTtFWna3Awc5wywRQFXywRyqJCUpj/C63cT:B/axr6+exJ+88ySy3UpDC63i
Threatray 200 similar samples on MalwareBazaar
TLSH T10654224EBCD4683FEA9605700CB65379E37A85C871A724261B70FA9B2B700934C6D677
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
647a6ff7a291048f4f0f8c4e206d1238.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 18:49:37 UTC
Tags:
installer
Link:
https://app.any.run/tasks/834b6479-225f-406b-97af-d429f6716ba5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47482177.10936.11278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the Windows directory
Modifying an executable file
DNS request
Creating a file in the Program Files subdirectories
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619e870fb71ceed4152edb3c/reports/e73aa028-843c-4c2b-b5e6-48533a794597/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03c097e5-9a01-4a88-b065-df0379469bfc
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/895660
Signature
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 06:55:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16f75019c7de5d79c259d4b1f1003938bd6449ce3c49b28d6320bb43dd6bd82a
Formbook
21260151f07549ff5e1dc07ca6281d3fa876483f1dd014afde823fa0a0e0a1a2
Formbook
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
Formbook
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
Formbook
8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
Formbook
997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
Formbook
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Formbook
a56201e88978eee0be785d68c9f510b25dc8d5e702af0b9d17dec5e507fc3626
Formbook
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
Formbook
+ 190 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/211124-xa8t6sddhn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f
MD5 hash:
647a6ff7a291048f4f0f8c4e206d1238
SHA1 hash:
18a99d9966c8fd76d0fe73df7708d77e960f529c
Link:
https://www.unpac.me/results/920ef972-c74f-4f8e-98bc-ba073fd951ca/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/232f876999f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 232f876999f6681e26051a522b6f2a73668c407b499f4bd5a0b64236dce25a1f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/209131/
  
URLhaus
https://urlhaus.abuse.ch/url/1809274/
  
Delivery method
Distributed via web download

Comments