MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8
SHA3-384 hash:	d7826bcde2f5486bd967a54d2b3a178f2a2f2314c9b17e7cfc6d1f8f3777724e0e33333e6a343cda44feb66c0baa2dac
SHA1 hash:	46f179d1be59306571066f1e2430463e8f868fc9
MD5 hash:	08b80fc048531e352da2ff1ffd890506
humanhash:	idaho-moon-stream-montana
File name:	HSBC_CUS.EXE
Download:	download sample
Signature	Formbook Create hunting rule
File size:	581'039 bytes
First seen:	2022-02-08 12:48:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	12288:iLXSgSIxkdCefqSrU2rOQ5Avgt38eGJhYZ:ixrxkdCefscOcNt38la
Threatray	13'456 similar samples on MalwareBazaar
TLSH	T180C4CF92F08489DAEC6A13B2983BCC251163BD7DA9F0A91E569FB62557B33D30017D0F
File icon (PE):
dhash icon	660f9151032e1909 (1 x Formbook)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238174/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/620266c44077c8b9a0217061/reports/3c63f494-90ce-4bba-b4c8-e69076293fe2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/05f9296f-2be3-4801-9e29-f952c7babe6a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936045

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8/

Threat name:

Win32.Spyware.Obfusinjector

Status:

Malicious

First seen:

2022-02-08 13:12:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jvt3olybokvav2uxgjuriy2eqy52b5tcu6qg5m4z2dp3x3gnm34a._file

Verdict:

malicious

Label(s):

formbook

Formbook

6ad1733c8b7f2d689659dac3231330133c262b9448d609fd47cca16ddc255e37

Formbook

8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0

Formbook

8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9

Formbook

bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c

Formbook

c026113c33af8599afd82bb769c25eea7ac5f1212576c4306347a54a8fd5ed1b

Formbook

d0ce91945a10abde8e7569759e78430c80fb8fa42589dfaccf565cf6895f8846

Formbook

d5f77ba2b2ad58cfad5ae3111994ad0f889967e6d4f67ecb9cedf1b8f10a6149

Formbook

f61f02c5be2ef5988f474ffc148b099942ab8582cd4aac8b3c991436f6230592

Formbook

+ 13'446 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:r3hg rat spyware stealer trojan

Link:

https://tria.ge/reports/220208-p2cbaagfc4/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Formbook Payload

Formbook

Unpacked files

SH256 hash:

fb4082a719f22428b864ac82848e600214d36a37127a82b48c4c38effb20b668

MD5 hash:

d0116f73efdc719982834985c1c18728

SHA1 hash:

721be97f5c4eccfba557f12b493dfe4ce3c381d8

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ac508683-8722-4953-8e56-ead19edc9d43/

Parent samples :

8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8
d2d2107ce64f31669e2c8dbe31da2cc683087050492fa4e8e31940e30f33ff04
38332124b868eaf5142c44b3c6e997de25b13415a8b7b83f708026429c9ffd7a
e149c419c1e3da9f42da46d4ba594ec7b97fc9a333bea11d1693b6750edf603b
14f417212aefc7dabfcb9585ffcf24081ae68584c68732c69e4bf6ebc1a9aeff

SH256 hash:

36f42dff9dc099534e4c8a65f7ed67ba904b4c537460b7889621f0e5cc5abf1b

MD5 hash:

9491366e02913f37989ecc41eb237d44

SHA1 hash:

4d63158a32b7410883f3ac001154c4489d347e99

Link:

https://www.unpac.me/results/ac508683-8722-4953-8e56-ead19edc9d43/

SH256 hash:

4d67b72f0172aa0aea973269146344863ba0f662a7a06eb399d0dfbbeccd66f8

MD5 hash:

08b80fc048531e352da2ff1ffd890506

SHA1 hash:

46f179d1be59306571066f1e2430463e8f868fc9

Link:

https://www.unpac.me/results/ac508683-8722-4953-8e56-ead19edc9d43/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4d67b72f0172/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/238174/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample