MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 25b29ef4957c769665a959d8b3cc03aeff0e8cfb1ee1dcadcf51cd5aca61226f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 18
| SHA256 hash: | 25b29ef4957c769665a959d8b3cc03aeff0e8cfb1ee1dcadcf51cd5aca61226f |
|---|---|
| SHA3-384 hash: | d013902cbd6c71ec413d5cda0b866d39ad0d3d365fb3d6d092a4dd7fbad9a4b8308aeb76a1990df1e6514b9596816228 |
| SHA1 hash: | f6751b12371c6a1eb6df88c56295ad609a2b7f0c |
| MD5 hash: | 686edb2f5b2e85e6dcc315bb30ff5af2 |
| humanhash: | white-november-arizona-violet |
| File name: | 686edb2f5b2e85e6dcc315bb30ff5af2 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 245'313 bytes |
| First seen: | 2022-03-30 16:44:06 UTC |
| Last seen: | 2022-03-30 17:56:24 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki) |
| ssdeep | 6144:HNeZmAublMUiHl2QlZRVqO1Y8r6EHx86mdhrWG0a:HNlAcMXdlZX/1HUvdhr/0a |
| Threatray | 14'500 similar samples on MalwareBazaar |
| TLSH | T168341280AAB0D0B7C0F75A751A3797B76BB954322478031F17E02F2EBD71295AD8D3A4 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe FormBook |
Intelligence
File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
http://107.173.192.156/dd/loader4.exe
Verdict:
Malicious activity
Analysis date:
2022-03-31 09:54:47 UTC
Tags:
opendir loader formbook trojan stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching the process to change network settings
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Connecting to a non-recommended domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed python shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Detection:
xloader
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2022-03-30 10:14:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 14'490 additional samples on MalwareBazaar
Result
Malware family:
xloader
Score:
10/10
Tags:
family:xloader campaign:grh2 loader rat
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
bcd2fbfbf288415149a91fafddb4b078653960834dce345c95ff8066d881f43e
MD5 hash:
e033d334fe558d21e1fc05684497e857
SHA1 hash:
ffa97787a55717a8d6e8b5e15c574e6129907f9d
Detections:
win_formbook_g0
win_formbook_auto
SH256 hash:
765be6e07a3bd6d9bcc7893599a8e6859dac526fef6814198bba6815c39009f3
MD5 hash:
8e93130fdc2845ee25a7e18e0a18ef9b
SHA1 hash:
de47a46cbd2090a45eb1729b4a48fa30bae76010
SH256 hash:
25b29ef4957c769665a959d8b3cc03aeff0e8cfb1ee1dcadcf51cd5aca61226f
MD5 hash:
686edb2f5b2e85e6dcc315bb30ff5af2
SHA1 hash:
f6751b12371c6a1eb6df88c56295ad609a2b7f0c
Malware family:
XLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | malware_Formbook_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Formbook in memory |
| Reference: | internal research |
| Rule name: | win_formbook_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.formbook. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://107.173.192.156/dd/loader4.exe