MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4
SHA3-384 hash:	252131769c4f750c812747d84090d60a7051360e24b28ec59d7ed0d76a0b0bdcbc8dd91ae83d36ec05cd956b189cb5e0
SHA1 hash:	0fcf157f750e1061663febb90045a324975b0024
MD5 hash:	87f1228dfd5ad90ae3fd20c4e48bdf50
humanhash:	diet-zebra-wolfram-speaker
File name:	SecuriteInfo.com.W32.AutoIt.VB.gen.Eldorado.24791
Download:	download sample
Signature	Formbook Create hunting rule
File size:	619'008 bytes
First seen:	2022-09-27 14:26:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep	12288:bOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPikCFV44ZpP8e0jUwQ2cfDv:bq5TfcdHj4fmbTY+gp8ewMv
Threatray	1'268 similar samples on MalwareBazaar
TLSH	T13FD41250AC98B9CDF86220335D995A4A113C9E301CF8675F64FA3BB33DB25460CB29F9
TrID	33.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 33.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 13.1% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0f235dd4d44d270f (2 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314007/

Detection(s):

SecuriteInfo.com.W32.AutoIt.VB.gen.Eldorado.24791.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39505/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckNumberOfProcessor

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/6333083918a36c641c874251/reports/ead6aea3-4bd6-4d86-900e-39f9b98434c9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/526f3de4-8e59-4f8c-a8bd-901c5187217c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1078376

Signature

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found hidden mapped module (file has been removed from disk)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2022-09-27 14:27:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ffnooazo3uledqgcct3fmkw6xsnw5yf74hyeca2p2fphhz7cqpsa._file

Verdict:

malicious

Formbook

5c6e6b2ac1dd3b79f6bd5de563d90e9614d75a2f33dbde962dd708242e6eb1b8

Formbook

61004944921826aa2cdf48c60720daa7e45a6694606ce82e62ea38c655856c0f

Formbook

782fa714fdc51cee0a898e99f98093833524a280d11dbe52aa74b4e18b37262c

Formbook

98011c4066f47e8f3628772faeae182566a68c9829eb9206b04115b307c42f5a

Formbook

bd49dbc39747130c1e76ad9ce9579a8d4fe5ea95ef5ade5568db2b398c072327

Formbook

dfca1291bcdc6fd3a0a7ae07cc153d3fc07c418138b1d2896f818d9ac3252a7c

Formbook

ee9d99a09e56c71072f7ea7e53d36d02e53d2e9dabd029fe0820fada596178b6

Formbook

+ 1'258 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/220927-rseq6aegcr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Unpacked files

SH256 hash:

2edbe564d4eefcdfb0da411cd2c8395ee26cad5410741c5576bda0be24f3486a

MD5 hash:

3e0eaa2ddc8e773574a610dcbfb21c52

SHA1 hash:

c0f995e2c0f1d3915989cb59210e4fa4f38b898a

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/7d3e393f-d8e9-4687-b6aa-9f3cd7db6e8c/

Parent samples :

7d3f405c5be58b5deeeaedd64e48a02ce7aeff56c435c52d7c0b476ce6c7db5e
aa4dda4c2839f40e630e48c3461ed30ff795514f16a4c4c91c6ff1c124d605df
aed4e3f7b3b3217cdd0447b64e8946e2122e874a9d6fedc414886a6bd55092b5
de0e6d11cb1128871933d5d7151b0b8d2a26e642e0eb5dfd3680fc710f4c0629
295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
e510aadd7609c9ec1e54c9b8c036c9a10dfe8ef9c67feb54f1b30399a7605c4d
8ec35ed3136e801808a48531827512458b7afbb683fe77f8b8fd0d6f9bf8e608
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d

SH256 hash:

295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4

MD5 hash:

87f1228dfd5ad90ae3fd20c4e48bdf50

SHA1 hash:

0fcf157f750e1061663febb90045a324975b0024

Link:

https://www.unpac.me/results/7d3e393f-d8e9-4687-b6aa-9f3cd7db6e8c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/295ae7032edd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/295ae7032edd1641c0c214f6562adebc9b6ee0bfe1f041034fd15e73e7e283e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314007/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample