MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c
SHA3-384 hash:	2f6f1d7575a43a2e709156e54eb7dda0d1e477c015bca4106f3d1fb1050652b809b6182f10f62aaccf5607b0e62fa091
SHA1 hash:	4b139b382ec201890ccc9e42d4f265aef356566a
MD5 hash:	e4687da7a496e25629029cc28e95d9fc
humanhash:	bakerloo-missouri-skylark-edward
File name:	Booking Confirmation _xslx.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	348'433 bytes
First seen:	2022-03-14 09:00:02 UTC
Last seen:	2022-03-14 11:22:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGiFMaUrArE8RyXDNcr4Fk0jhnWYvLJLyF4RoQwGAn2LRG8D:OYkz5C0jCyV42LRv
Threatray	14'001 similar samples on MalwareBazaar
TLSH	T14474125EA2D19CDBC9E205729AFAEFF1E2FB829210E50C0A47641F092BB5747435C3D6
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/250030/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.25128.5413.18590.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/622f041adfdfa8501c9cf96b/reports/c2ad0bff-ef19-432e-bbc0-5dadb8aa5ee7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/537e0243-710d-4200-ba02-d87e6a1d650b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/955896

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-14 09:00:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iuwufs7dwanltl6vpgncluktwd2cpi4dxf6crvf7jymdbribvoga._file

Verdict:

malicious

Label(s):

formbook

Formbook

2573cb8f9979fab9ae06951ba1e3c96d7c49f2672369dd6ecf77fde42a0d45eb

Formbook

26f8a3be2038752ea7ea42cffe424d460ac03d3128f2e9305259c48a9431a09a

Formbook

5f9025473092996ecde530a0e8858fe256baec511bd44c61d8bba0fa3bd22f85

Formbook

76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6

Formbook

8eedc524cbcf57998c67472c72d0db19becad221e770bea32486deb9661d3fd4

Formbook

a00b8665cf484b38e9d12d40208001acd1b890250be4bbcc78807eeedf6c408d

Formbook

eb75ee1b5895c0cc2882a850fab0f379ca09653d92a3a7ff8569593125622355

Formbook

+ 13'991 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:an52 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220314-kycqesfhdk/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c

MD5 hash:

e4687da7a496e25629029cc28e95d9fc

SHA1 hash:

4b139b382ec201890ccc9e42d4f265aef356566a

Link:

https://www.unpac.me/results/34e8a548-50fd-4da6-8a71-81d6163b75b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/250030/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample