MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 405d90a313a8c61baefe1682a5b1ba97812af6ce0824603833dc4524caf08d2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	405d90a313a8c61baefe1682a5b1ba97812af6ce0824603833dc4524caf08d2c
SHA3-384 hash:	a9bbac95cec1a4411a267b534fcd3a8eaf66c928a6aefaa00e39047d1b5b952b5197efb59b74adbafcc2beddc8b55a69
SHA1 hash:	49c5f9af9255bd04084424ac6d2ff9665f6c966b
MD5 hash:	28d7b093a3dd63e579b6eef179d7bfd6
humanhash:	fix-yellow-uniform-beryllium
File name:	asd.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	488'362 bytes
First seen:	2022-10-27 16:00:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (535 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	12288:yY9BpM9pWRYjv8ympaWrzro1APuJhPlme3:yxozM/j3
Threatray	15'748 similar samples on MalwareBazaar
TLSH	T1B8A45A03F40F40DAFD2A0F73913A086499532EB9B874F24D299A3A6217F37E2441BF56
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	283161b2907d08b9 (1 x Formbook, 1 x GuLoader)
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

asd.exe

Verdict:

Malicious activity

Analysis date:

2022-10-27 16:03:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d9d7fd5-291a-4576-b576-431c179a2497

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325006/

Detection(s):

SecuriteInfo.com.Win32.Outbreak.16812.1953.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Creating a file in the %AppData% subdirectories

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46034/overview

Behaviour

MalwareBazaar

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0f068045-8304-42b2-9fb3-0ccd7733516d

Result

Threat name:

FormBook, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099596

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/405d90a313a8c61baefe1682a5b1ba97812af6ce0824603833dc4524caf08d2c/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-10-27 16:24:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibozbiytvddbxlx6c2bklmn2s6asv5wobasgaobt3rcsjsxqruwa._file

Verdict:

malicious

Label(s):

formbook

cloudeye

Formbook

3d9766bbf57730b0aa1d3d43a8ce30d7f7b0798b82f32d235a06af5cdbb6ab6c

Formbook

3eca58af30a24d1b5697c4079be161499ec28e5ec399738619c640633b6d1781

Formbook

82478a8a9aad7d755492677e29689c5656bddb130798408bc38a751ccd35cfbd

Formbook

c03b3de38a4c16044ed792465b6bc73a1e15bb86e5543fa89b3fe866e55b015f

Formbook

cc268916fb77287ae7258a4301c427751c9a0277786d101aa74a761419564f28

Formbook

d7750235007c0d35353219bebab9ccb181f7e1d019c265e441a734b19c88dc69

Formbook

eacbd3784763b4f97f35d08baa9c11c48fcb08fbec721f1d52543ce2d036d5f5

Formbook

+ 15'738 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:gut0 discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/221027-tf8jtacff2/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Checks QEMU agent file

Checks computer location settings

Loads dropped DLL

Formbook

Unpacked files

SH256 hash:

8eb330b851199694975abf5dbb71975c7235b0863e4040542526d4ebf941c896

MD5 hash:

fa8f56e035a51ca20561b2968ffb6ba3

SHA1 hash:

d7eee294c0c3ab292eb317d525fcd8f6a7290817

Link:

https://www.unpac.me/results/0b99f102-a984-4939-8884-41872e8a883d/

SH256 hash:

f8937022ac82531075f259f75c12c3352af9df95946de46272c1368a6d622d17

MD5 hash:

387225c38adc4d69f9f40871d42fff1a

SHA1 hash:

e6f733c26243b44dd64fa43945dfce02a275c0a7

Link:

https://www.unpac.me/results/0b99f102-a984-4939-8884-41872e8a883d/

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/0b99f102-a984-4939-8884-41872e8a883d/

SH256 hash:

405d90a313a8c61baefe1682a5b1ba97812af6ce0824603833dc4524caf08d2c

MD5 hash:

28d7b093a3dd63e579b6eef179d7bfd6

SHA1 hash:

49c5f9af9255bd04084424ac6d2ff9665f6c966b

Link:

https://www.unpac.me/results/0b99f102-a984-4939-8884-41872e8a883d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/405d90a313a8c61baefe1682a5b1ba97812af6ce0824603833dc4524caf08d2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample