MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
SHA3-384 hash:	5faa15e41e395de1183dbdf01e5bd4524d352c7f329c6db95ec460104799eccf2fc9f0a4e69cfd7ee93e57ef25624e0f
SHA1 hash:	0c63b6c3f731ca14d3e3c7e9bbbc8f24ea440b64
MD5 hash:	d727d38a829ab0e2b2e53cbf94292d05
humanhash:	double-montana-sweet-montana
File name:	https___smkengineeringindia.in_wp-admin_copy_bin.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	167'424 bytes
First seen:	2021-10-01 21:49:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:9UJBAjoUFrk7TjIlM3NHGtVkL9h2NOu17xjyd:9qoqj4M3Nmfi9h2NOuI
Threatray	10'052 similar samples on MalwareBazaar
TLSH	T109F38D32D642D031E2B246B5B26D0B7B883E0D34335560A6E7E11AE56EF09E5B53D31F
Reporter	Racco42
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://smkengineeringindia.in/wp-admin/copy/bin.exe

Verdict:

Malicious activity

Analysis date:

2021-09-30 01:36:12 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/150a706c-1dd9-4d7c-ad7d-76dab1bcd15e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/194058/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Win.Malware.Formbook-9802749-0

Result

Verdict:

Malware

Maliciousness:

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b3ee19a5-c0c7-46f2-ba0d-b98bb0da8ca5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862929

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-09-28 14:58:24 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezig47j7jaqqm36btcnfy6npwti2gfvkikhz4susazcnsouawskq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776

Formbook

326a1e669385d8e241375e9eca9f915440f1d0d3f803e6d1648f30102cbedaa6

Formbook

50c6754cbbd313acc6a250182439a1191d8f8318f0794feea75bd647b6205f7a

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

9fd6d5c3553557a9cb263962d71901a681aaa50f3808436b7dff7c4c97289b5e

Formbook

ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3

Formbook

c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746

Formbook

c4c9d27ea805c32e7f0e66dc0d9534d8fbd87f4c1327727b2e1e9ae937f02c45

Formbook

d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

Formbook

+ 10'042 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:wpte rat

Link:

https://tria.ge/reports/211001-1pyjjadcgp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Malware Config

C2 Extraction:

http://www.ktndiet.xyz/wpte/

Unpacked files

SH256 hash:

26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495

MD5 hash:

d727d38a829ab0e2b2e53cbf94292d05

SHA1 hash:

0c63b6c3f731ca14d3e3c7e9bbbc8f24ea440b64

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/46a41108-f735-4395-9d46-eea7adb2ad2c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/194058/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample