MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35fd1ba0f7a3adef1e5cf704a30f394cd20868bf42b1f31be4fc4738701c5e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	35fd1ba0f7a3adef1e5cf704a30f394cd20868bf42b1f31be4fc4738701c5e4b
SHA3-384 hash:	bf97060247f9e2efd6c02d2587e1a1f2ebcc23aa9a14127cbbb609599ff9ee5a59d88febb672bf31541b4ebdd4f0bca7
SHA1 hash:	a0bfe57c4773c5ccdc8581f76adb9aab2176d53f
MD5 hash:	e0f95d7ac5f14afd46c4c4b334b77070
humanhash:	ink-item-black-california
File name:	SecuriteInfo.com.Win32.PWSX-gen.11116
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'117'184 bytes
First seen:	2022-09-15 05:40:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:mrGfk99lhMNQAoicLW4/jH2vbI1v7JvbQJjNkBmEdKgEZFZnxEdDr3bruKyjmbqp:xf4RMC3XHwI1v7Jvbyj8/dKDFZnxO7m
Threatray	14'339 similar samples on MalwareBazaar
TLSH	T18935F1681776C907C86AA474DDD2F2701EA85DD4836FC34B08DC7CB7F63B29869D22A1
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310123/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.11116.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6322bb2f36ccf428b25de048/reports/a49803ef-02af-47f4-bdc2-44bb78311294/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/605c6bd1-0779-48aa-ad40-56eee6d9166e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1070679

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/35fd1ba0f7a3adef1e5cf704a30f394cd20868bf42b1f31be4fc4738701c5e4b/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-09-15 05:41:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gx6rxihxuow66hs464ckgdzzjtjaq2f7iky7gg7e7rdtq4a4lzfq._file

Verdict:

malicious

Label(s):

formbook

Formbook

401893d409c8453d7b0a4b7cd4ed000e61b32aa48a9e25a14f1d854fe0d86b7e

Formbook

4bbb39fcbea555b2ff359c3422f1058dcebd8e4cf0ae68d3b05f2198d57db9a8

Formbook

66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4

Formbook

78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d

Formbook

7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a

Formbook

96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881

Formbook

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

Formbook

fc15ab19130fccdae7dee477e0ae6d711fe3492cbac1b7e5d472eae4902f9516

Formbook

+ 14'329 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:g2vp rat spyware stealer trojan

Link:

https://tria.ge/reports/220915-gde39sfgal/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9b9abf56-06cf-4c40-bf3e-6b9948b5cfc7

Unpacked files

SH256 hash:

0c8b60007fb509e5ebec2424035a00030b310aa296c2d64b8b8d43729b7514ec

MD5 hash:

8f8bfbf61742b2c9eff554f38469c868

SHA1 hash:

995a7d951f00a92a4de1ecce21eac0bb4853f220

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

a388d67b1c9f9da732b3947c0779a2790d21dc06cc938535958a7a379efe804f

MD5 hash:

27b2614634aa4b60d1f9f2669d039a7e

SHA1 hash:

caa07bce671eee5a8b30d13c3c40d88b87c2fae0

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

5fdde5ff8090e7aa82b50429f8f456afb21b9a11ae021aaf14022acc069dd9b6

MD5 hash:

3c54d4fbd22c39740e541b1914fb4701

SHA1 hash:

39b15d55702cce4d284f37d7d7a6eb2b7839d8e8

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

aef85e26fe14d867c12157dc58ef84cd33ca3f61c437d022119b237098c217b5

MD5 hash:

5ba1ca3cc92331747724d367ca4b9acb

SHA1 hash:

7f7f3fed114113ef01e7cc9413bae477edca313c

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

SH256 hash:

35fd1ba0f7a3adef1e5cf704a30f394cd20868bf42b1f31be4fc4738701c5e4b

MD5 hash:

e0f95d7ac5f14afd46c4c4b334b77070

SHA1 hash:

a0bfe57c4773c5ccdc8581f76adb9aab2176d53f

Link:

https://www.unpac.me/results/d7642742-28b3-4a45-be29-c7784588e9e2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35fd1ba0f7a3adef1e5cf704a30f394cd20868bf42b1f31be4fc4738701c5e4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/310123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample