MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a
SHA3-384 hash: fe691d8606a55680ed7f333cbd8b5cd66b113962be6cf43ef3ea37430dc764d94d027a591a79677e7c1497f68bf15b4a
SHA1 hash: 59e6db72622b711976f9ae0b312884585c9cb7a7
MD5 hash: e46ea39bc8422a6806f106a4bac694d3
humanhash: steak-south-five-oven
File name:Purchase-Order4973573579539.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:751'616 bytes
First seen:2022-07-20 06:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1fe30710cd81c908b0878e166e653d4 (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mDVyc7hRZ/ksbXlwv/qcAD/reQynzySzQrtVSX3x7FRSRjAf2rDNtl2aCHVVkHg:O9j1ksXev/qcADPyzySzWtVSn52pAf2s
Threatray 16'867 similar samples on MalwareBazaar
TLSH T1C7F48E32E6F1CE36D16A163F0C4A76A59C2D7F102D29F99626E8394C6FF9680253C1D3
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/292688/
Detection(s):
SecuriteInfo.com.Variant.Zusy.433412.11119.31541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26820/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed zusy
Link:
https://www.filescan.io/uploads/62d79fc680dba4f80a2522fd/reports/a8a75e55-0f8b-4375-bbda-98d63f69b9fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2936995-daef-4bce-9011-a63fbfc1c6e5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037548
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 06:23:09 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgxdc52m74b5236n7rp3zv7biq2iyjekvjocpablrbs3mskkkcfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b79f5c913e11c7c7fdd9cf12706d6049894dcc48c5b87368ff4ff05b03cc7e8
Formbook
1f72cb6a89b2416ff755cd63ae5bd2c0016846f5351227cc80e2242060e88a1b
Formbook
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
Formbook
44079f7afc8f2b9900564b14b8e3e9e5b8de7ad0b4a1d514e5ff644def494d4e
Formbook
5fd380b77aed19d5086ee0c5afb1a717b0901bcf456ef658c0381107e47f17a1
Formbook
70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61
Formbook
9979157caf31a2349ad5512d9aa7e749649232ceb16f9c410655438fa87de552
Formbook
c8fc44d1f9bae45933ba95a20f0aebf0e69f8304ea11a4346e610dfacc8ce049
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 16'857 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence spyware stealer trojan
Link:
https://tria.ge/reports/220720-g5gfeacfd8/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/0c65304e-b793-4278-a5c7-9be43a2abf04/
SH256 hash:
51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a
MD5 hash:
e46ea39bc8422a6806f106a4bac694d3
SHA1 hash:
59e6db72622b711976f9ae0b312884585c9cb7a7
Link:
https://www.unpac.me/results/0c65304e-b793-4278-a5c7-9be43a2abf04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/292688/

Comments