MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d
SHA3-384 hash:	528020aff08e2c0a133b17297efd012e3fa2099eb0d995017779faf3c390c9d92f6a60f1aebf92c686607f0ac99f480f
SHA1 hash:	d0516cb3b74b9c36512957a36a8d00346de28160
MD5 hash:	13023b4453e98378bf05047bd0bbb9f8
humanhash:	harry-idaho-alabama-leopard
File name:	SecuriteInfo.com.Trojan.GenericKDZ.75441.5474.28833
Download:	download sample
Signature	Formbook Create hunting rule
File size:	413'184 bytes
First seen:	2021-05-24 13:06:06 UTC
Last seen:	2021-05-24 14:02:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	40bba328aeeb86af0602a23d2610bb0c (3 x RaccoonStealer, 2 x TeamBot, 1 x ArkeiStealer)
ssdeep	6144:MKL0e5f1XMELk0YVYISuhA9VxoFVGMZud83+xcb88O5lDNNq992XsTRV:MKL0e5f1XxTYVdNA9/If6xllNc/2XsL
Threatray	5'319 similar samples on MalwareBazaar
TLSH	4794AE28B6A8C031E0BF12B459B5C2B865397DE16B3440FF62C53AEE52346E5AD3075F
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cbac500e_by_Libranalysis

Verdict:

Malicious activity

Analysis date:

2021-05-24 07:19:59 UTC

Tags:

generated-doc opendir loader exploit CVE-2017-11882 trojan formbook stealer

Link:

https://app.any.run/tasks/7b5bb5a1-c306-4be2-a96a-be526fa7ba14

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/161471/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.75441.5474.28833.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/790370

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-24 05:57:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

2a2efb99145b090f6ac13a70fbea4a858d53ac3e09a5d9065861bc6e2cc796df

Formbook

36ac85986999d60ef2bcf74e50d27daa1bfbf6c4815e6fb5e5dc1547d8dcb8c9

Formbook

5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33

Formbook

6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4

Formbook

7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

Formbook

b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2

Formbook

c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c

Formbook

+ 5'309 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210524-72vq38sx4a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.unclechef.website/pmc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Azorult

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1277699/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/161471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample