MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c
SHA3-384 hash:	b8bfc2f6b9cc9eb14255e5c175acdc43c938d91ab634c1049bf5fb61a8fd2722e969d63b51eba1be8788c030de27d2c7
SHA1 hash:	f2774f50aabd73d03ac45447fa1aac4563348af9
MD5 hash:	f328a43f0ed25b23d8e5eddcd3d4e96a
humanhash:	pluto-iowa-oscar-august
File name:	f328a43f0ed25b23d8e5eddcd3d4e96a.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	474'421 bytes
First seen:	2022-01-26 15:33:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:RwzF/7EV6rbI4CduZdK1BFca2jIlUZVo3K074K+0bNT1N0afa3g:wk6PZAAMPa30qVo3dV+cTP0afa3g
TLSH	T1DDA4BE9D23E6A597D07213B50D5AFB3AD62365743A1447B27ED03BFF2E643360CA2242
File icon (PE):
dhash icon	70d098b0ca9cf870 (1 x AveMariaRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022.xlsx

Verdict:

Malicious activity

Analysis date:

2022-01-26 12:01:52 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer

Link:

https://app.any.run/tasks/b76f90ed-b375-404a-8de9-db6ad5cfb5b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/223450/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f16a3d8581cbffe0865db5/reports/feede03f-e992-4186-87f4-5a814e60340f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4f8483b2-f093-4059-b1f1-84adb16b5632

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928091

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-01-26 15:34:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:pnug loader rat

Link:

https://tria.ge/reports/220126-s1kstaeehn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Xloader Payload

Xloader

Unpacked files

SH256 hash:

f633a35d33be3674dafec674e27d9a43661ad47b810cc7385d6ef0c010d4674c

MD5 hash:

473f90ff7f0ca5d29ad56c65f61b8e6a

SHA1 hash:

68938b0956098d3fdad50d46fad3531b39dde34d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/57708a44-b59c-4128-8e70-981bcbe2fdc2/

Parent samples :

15f9ae45222e5eb82ac39303b8f9b852399bbf3ea54c3f7ff7d04e76756bc43f
4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
a1d8420052bbdcaf3d318427bfe57edf5cc330fb14aaa5f4a597fac220c2a6de
cfdf477d386cab73129ac775a953d693466176d4d4854d06d580125a8f20f9e6
0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f
a632daf4953367bf3024b3e84d13b5beb03d77719cca10b155355e474b3173e3
11e5030403c99dfa27a1c41a8a3abf2408324166735b081a7db038c9a3ec357d
41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c
0a01299cae838e8920ce78f846e94890d3a08619316aacfe34f9deb0b364d69c

SH256 hash:

a388126932c853530290e791dc01e30ac1c163beba20189993529716ac8fd6a0

MD5 hash:

47f2dd441dc2fa84c9e4105ad0f25a26

SHA1 hash:

8fd45ae119726a6c40116170b9d6c705b28eeebc

Link:

https://www.unpac.me/results/57708a44-b59c-4128-8e70-981bcbe2fdc2/

SH256 hash:

c744a4435d81489ef625898e53053f42e20ed3636aa379608b9f5f3553183e05

MD5 hash:

df346e3a880b6e1cad15024844bc140b

SHA1 hash:

4fa69b1a80af84d85d0709b50a11924a954c904d

Link:

https://www.unpac.me/results/57708a44-b59c-4128-8e70-981bcbe2fdc2/

SH256 hash:

41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c

MD5 hash:

f328a43f0ed25b23d8e5eddcd3d4e96a

SHA1 hash:

f2774f50aabd73d03ac45447fa1aac4563348af9

Link:

https://www.unpac.me/results/57708a44-b59c-4128-8e70-981bcbe2fdc2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 41e0f6ad541e5253c451b3d51976df257813e85c443ab1b863b3acf6c078b38c

(this sample)

Cape

https://www.capesandbox.com/analysis/223450/

URLhaus

https://urlhaus.abuse.ch/url/1995426/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample