MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd
SHA3-384 hash: e77920831b1f53789c2a18614d451b0277794d6439e9ae920d47788c730e2c2e8437519afdaa092963239d57e68fb4cc
SHA1 hash: b15d096f5130390fb027310795ef2cfe305395b3
MD5 hash: 6dc6d474ce38d56ad9003a4bb382619a
humanhash: grey-angel-september-twelve
File name:bulk order_pdf.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:406'528 bytes
First seen:2021-10-01 12:22:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21506be3202517bb1e8cd3e1062868ad (5 x RedLineStealer, 5 x RaccoonStealer, 2 x Formbook)
ssdeep 12288:6MlqJg5hsL4NGc86opU3NAUGoL6GLzxd6L:6zwc6oxNoJnL6L
Threatray 8'323 similar samples on MalwareBazaar
TLSH T16A84D0097252CFF2D67105B1AB06C7E0463EBC2D5C2BB24B7B98765E7E3D381D622246
File icon (PE):PE icon
dhash icon a798b8fadaea9898 (1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bulk order_pdf.scr
Verdict:
Suspicious activity
Analysis date:
2021-10-01 20:00:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/385566f6-3d75-4b37-bed0-a7f9f137eb50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193988/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e206a8c-9c27-4f19-8b4c-33ec417180a6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/862702
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 12:21:54 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=io3qb7aueokpy4aujtndmnaf6c5uf7lrpjbsdld6iraigzcx2x6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7
Formbook
218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321
Formbook
85e45fbdd69f39214a4e3f588d14b1be4a7d81f4503813e1ab834c3525e568a8
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9
Formbook
cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0
Formbook
+ 8'313 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dn7r rat spyware stealer trojan
Link:
https://tria.ge/reports/211001-pkf8xabgh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Formbook Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.yourherogarden.net/dn7r/
Unpacked files
SH256 hash:
43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd
MD5 hash:
6dc6d474ce38d56ad9003a4bb382619a
SHA1 hash:
b15d096f5130390fb027310795ef2cfe305395b3
Link:
https://www.unpac.me/results/18583b81-1e55-4172-b80d-f708b1914326/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/193988/

Comments