MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052
SHA3-384 hash:	b4ae56dcc4962e29d1df90c63689ed3972ac6c994774221f1e2bc8dc0e31a6c6055d2d37eaca192264ff0476b1c5b5c7
SHA1 hash:	9066be672da3a63b2fd7813e5c5ec1b3d1b36b3d
MD5 hash:	998c79456d9782eb1a03140e04f36d46
humanhash:	queen-carolina-burger-london
File name:	Client.dll
Download:	download sample
Signature	Formbook Create hunting rule
File size:	503'632 bytes
First seen:	2023-07-17 06:45:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:qqRbGFyesZPmO4wERAl/PfjDsJGa2Bbt/OF5fx9xmkrSG4uhIAI0YixrrVcR9nFb:qKbuEZD2alrD7a27/efx9FW8Uu6R7
Threatray	3'240 similar samples on MalwareBazaar
TLSH	T190B4E04ADE42A3F8D876E0B482576A2BB4717988033C43EBDF5016751B61EF4B73A748
TrID	20.3% (.ICL) Windows Icons Library (generic) (2059/9) 20.0% (.EXE) OS/2 Executable (generic) (2029/13) 19.9% (.EXE) Clipper DOS Executable (2018/12) 19.7% (.EXE) Generic Win/DOS Executable (2002/3) 19.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	1ZRR4H
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Simman Stock-Maliye 2023.docx

Verdict:

Malicious activity

Analysis date:

2023-07-17 06:08:51 UTC

Tags:

exploit cve-2017-11882

Link:

https://app.any.run/tasks/57b3a88c-b9d1-4580-a14c-15527f967e78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/422134/

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade overlay packed

Link:

https://www.filescan.io/uploads/64b4e3aaf52c3e1a0149ab56/reports/a303e03a-5e11-45ef-acf8-7e040a34b369/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6e8a06cd-0725-4dac-b6ab-7c99cfc1fdb5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i3xlinvctv2no6pasbmowv2pqoidycodc4dhseuiqqtebxozibja._file

Verdict:

malicious

Label(s):

formbook

Formbook

68ba26474bb29bdbc42cfddd75f212eec1ffa22d5c1affc893addce5330f4e11

Formbook

6e5b648d1e574dfbbd6337c6d11b851b2b12efec1f0ae59b1327e0dce1dfe7e6

Formbook

99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef

Formbook

a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f

Formbook

c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76

Formbook

d6e23ac410c1cad704abcfe18e2ccfa86ef2e6cbc30d22012f7ceec9b9f378ec

Formbook

de30e038eaa635585c23ec16221f9307e49152fe0d42d6f49a9435beb42f1f9f

Formbook

fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534

Formbook

+ 3'230 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/230717-hjl97sbc4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052

MD5 hash:

998c79456d9782eb1a03140e04f36d46

SHA1 hash:

9066be672da3a63b2fd7813e5c5ec1b3d1b36b3d

Link:

https://www.unpac.me/results/183821b2-9afb-4222-a0ed-185ade6ecc61/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/422134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample