MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec
SHA3-384 hash:	1fe1c0e83624e9fbb3cf7f62642b1afbaf1454179f597e15d6ac5f65f8ebbefcb49a55e78ae109f3ece8a50ab7406d6d
SHA1 hash:	51101d919375043e0cb47b85256395ab689da5c8
MD5 hash:	945c01f8a6a6f7d932fe923fb663c1f2
humanhash:	arkansas-illinois-oklahoma-thirteen
File name:	SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80240.31980.4427
Download:	download sample
Signature	Formbook Create hunting rule
File size:	338'895 bytes
First seen:	2021-11-18 15:49:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGiqZygRceZklveu6LL0AJTN9LbyCDXoGrRLPMmiR170Qf4OvLLd1:yyaBqsuMTN9XyCDYG1LP3OvPH
Threatray	11'335 similar samples on MalwareBazaar
TLSH	T1E374238529A6C531EBE072B00BB65AF5F7F38AED806712CF9F643F6830B35469615381
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80240.31980.4427

Verdict:

Malicious activity

Analysis date:

2021-11-18 15:58:14 UTC

Tags:

installer

Link:

https://app.any.run/tasks/cc9fc517-e44a-40ae-88c2-4dc995b0d174

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80240.31980.4427.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6196763043e8f62b6698f27d/reports/d5308024-7481-4e8f-bf15-7e02a9785ef9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0903544b-d118-41f2-8b05-41106d1a9cb5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/892071

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-11-18 15:50:08 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

2f46c6eb0fdc1567d3d51a3fb9b7c3d6247a4f51c8043d2f076770bdd193f4ff

Formbook

4a2907475d0024c654da40187933dbb740f743d6adaeae9595c43502e2092772

Formbook

5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979

Formbook

6af0f1291317c39b44b04f067cba3aba04781f54e2dbc8932acf57f321fdec76

Formbook

6c505769c3fd238742b1a9ae5620afc9c4c24e37c5e749feda8eac24417faa23

Formbook

7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae

Formbook

7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0

Formbook

a33cbeb94697eb2355ea92f44f065e52461adaf621ad548d066dc73d6d76eeb9

Formbook

+ 11'325 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:h2b0 rat spyware stealer trojan

Link:

https://tria.ge/reports/211118-s9ye9shee6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.brocoser.com/h2b0/

Unpacked files

SH256 hash:

28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec

MD5 hash:

945c01f8a6a6f7d932fe923fb663c1f2

SHA1 hash:

51101d919375043e0cb47b85256395ab689da5c8

Link:

https://www.unpac.me/results/ecddfb68-c238-4bc4-a8ca-368dfa51d002/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/28b7c509a791/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1799218/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/207296/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample