MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments 1

SHA256 hash:	314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae
SHA3-384 hash:	2162cdc1bed222ada744805245c7a259ec7c659c3121669ade2bc428d3f7e7cc64aea1f4c4f904916813c05bf0e92316
SHA1 hash:	028f49426cb8c0bf4979d6fa925177776b11effc
MD5 hash:	03e76b7a2245db6a2b342dae3fb3c7ed
humanhash:	pasta-aspen-burger-pasta
File name:	03e76b7a2245db6a2b342dae3fb3c7ed
Download:	download sample
Signature	Formbook Create hunting rule
File size:	368'618 bytes
First seen:	2023-09-14 00:50:27 UTC
Last seen:	2023-10-01 08:57:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep	6144:/Ya62mLcoET7vzuevY/XCOkFwUnUkYYD0k5LIb93y71avPgVIqVow:/YYmQTzwRgw9HYD7LIb9CBavP3u
Threatray	48 similar samples on MalwareBazaar
TLSH	T10B74231479D0CEB7EBDE827508FE9B6E5BBB4A09116857C72720E70EB971641E80D332
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 77-91-68-78 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

03e76b7a2245db6a2b342dae3fb3c7ed

Verdict:

Malicious activity

Analysis date:

2023-09-14 00:52:01 UTC

Tags:

formbook xloader stealer spyware

Link:

https://app.any.run/tasks/0d0f242c-52e6-41d6-8655-9bf4e414eaf3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/448506/

Detection(s):

Sanesecurity.Malware.28947.BadP.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/650258f7f880d6610caebb61/reports/48aec1ca-c01c-4384-8648-92f4afd88c35/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/24760220-14f4-4be4-9cdb-5f15c9c34a81

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1307773

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-09-14 00:51:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gffqiy7g3zw6kzdh6ar52lo366m5ra7c4zkvfxpsxb7wa7xnywxa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230914-a7g2dsah77/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

6fa5362ca84019bb973ddc973357a0ab48f092a18c658e7b4d8821dd0b4b4817

MD5 hash:

0d14dadc437b8b75e8ec78d403d33a59

SHA1 hash:

8fe0e8ae77a341948cd35d48c5340a7a97cb3bb0

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

fc276256bbf4dbe028e634d79b49bf90ea5e9d80f61614e29a43bb2f6785edaf

MD5 hash:

532ba0df9ab11bd68bc92401c74de00c

SHA1 hash:

ee23c273f8a7b833b1561e56d2e5bffd6c11d4f5

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

a5f8e12b1f4cf34d75e0967ded787e55447036f8c9d76012a0b483956b59b0ac

MD5 hash:

ce865e9a9962102fd740698a6616d549

SHA1 hash:

b49db46c59710b9954b84860890d9175d44e5280

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

dec8a5b4a3f78dbf637ea4d9e6d89dcc863ae146d6adf9a3315322e2809dc3fc

MD5 hash:

ab8d9697928b721a14cd8db9776250d4

SHA1 hash:

7e944d944030240493c3ca6e4ac60b6ae4e28729

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

33e592892e88ef9604dc15cbb733e9884e23d80aa6500464b2546c7e47b6f136

MD5 hash:

3cec5fb0dfb9ee04c064e485b73c938b

SHA1 hash:

42b399783538d08ae6393f785019288691e4daed

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

fd92b14c7d3193dc5652531c32b7b391735735cfab07fe1e6922adb051444bc4

MD5 hash:

0c1472a7648546d6127f9080b1e5ac1e

SHA1 hash:

33d7aec446bf49674ada2eabb15170c2adba3d9c

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

15aebd87c2812de47b9125116bbfa42b8dfed3889129b86de887dcc415e1f886

MD5 hash:

17dc8f48e1f1c65653e08d361fac8610

SHA1 hash:

304d16a650841f8623a220d2b110dbebab5af848

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

SH256 hash:

314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae

MD5 hash:

03e76b7a2245db6a2b342dae3fb3c7ed

SHA1 hash:

028f49426cb8c0bf4979d6fa925177776b11effc

Link:

https://www.unpac.me/results/40c40997-6e6e-4f2c-ab35-37de4b8e984f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/314b0463e6de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2711592/

Cape

https://www.capesandbox.com/analysis/448506/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-09-14 00:50:28 UTC

url : hxxp://77.91.68.78/lend/file.exe