MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
SHA3-384 hash:	27d164220a1b7ae2efbd43ce1eeed0ce69906ed1cfa3b5b78b0e0907255ecf866e0da1e671b4d647328495dc0bca385f
SHA1 hash:	04d62d915bd1a81c4b5ed35df6edb953107398c8
MD5 hash:	14848f52302c15e27b26fee5fada11c1
humanhash:	quebec-low-hydrogen-echo
File name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207
Download:	download sample
Signature	Formbook Create hunting rule
File size:	428'316 bytes
First seen:	2022-05-13 22:36:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:eOtIldxqG7hiusCwlvcyHQOEYf5iTQuuAxjNnmJvLtVeV+hLk7:eORQiuqEyHH1GtNnmFBi+lg
Threatray	15'602 similar samples on MalwareBazaar
TLSH	T1B694E092D5C041A5EC794B34B53B1D3A16A7FFB9BCF9EA8E864D71312B732C2401B942
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c3894f032b232313 (2 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/270525/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17612/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/627edd978d13de6dc3b28c11/reports/306caa97-2876-4cf7-9753-cf51693a3acd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9dabe83a-35c4-43cd-acfa-da6b1eae2867

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/993928

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2022-05-13 21:27:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 41 (34.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jleyf2rvkivbhxrq7565xpwjx3hsy5jiushqv7zxpy6wowfhvz5q._file

Verdict:

malicious

Label(s):

formbook

Formbook

387234df5ff2369a1a2bd25b060d5d7dd3817e07577baadd33bdf5c2dc7725c1

Formbook

6b19bf1ec55b55f38c00c74fd66dd45c8d7e12eebebca913c4d21152ed0ced8c

Formbook

786940cf8fc524d46f8b3a0e72883d63c23315ea642c38f75d897e2162404e3e

Formbook

a5ee0630cbe521aa9279b50a655a04ca59ed837919cdf94c8cafb30e4c39598c

Formbook

dacb77cc1043b74ae83d504072258f6157c6bb72fcf340356cbd932cb10bbf28

Formbook

f156099a9282dcdcab3acbf57c50bc1d0121a6e9714d43ba69ab9934ab0d9439

Formbook

+ 15'592 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader campaign:p0ip loader persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220513-2jsa1afagk/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Xloader Payload

Formbook

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b

MD5 hash:

14848f52302c15e27b26fee5fada11c1

SHA1 hash:

04d62d915bd1a81c4b5ed35df6edb953107398c8

Link:

https://www.unpac.me/results/61cf8fa6-5b77-4161-b5bb-653ed5b0fe87/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/270525/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample