MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941
SHA3-384 hash: ee6ab059b921fa8e5d860fda9f4bc53ea505854d0fa92cf7a1f42c0182d2e7a302808eda586b38de23511d13ff8079f1
SHA1 hash: a60d7e702d15eb428745bcefd0bbe440dd722c3a
MD5 hash: fad548a15140163e9be4f7c7f7a12725
humanhash: harry-neptune-iowa-cat
File name:SecuriteInfo.com.Win32.AdwareX-gen.3322.13848
Download: download sample
Signature Formbook
Create hunting rule
File size:172'032 bytes
First seen:2023-10-05 02:31:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 235f54a8f3fab3914ce05790a045f905 (6 x Formbook)
ssdeep 3072:NSOQKf53nEwlkDRJdCs+0n3sK7AHTccd9jL:NOikfHDnaT99j
Threatray 2 similar samples on MalwareBazaar
TLSH T18BF36B1136D18072D573023619F4EA615A7EFDB24FB29E5BB7C80A8E0B745C0AB35B63
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.AdwareX-gen.3322.13848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin redcap
Link:
https://www.filescan.io/uploads/651e2023a71d9f843c2c19b8/reports/010024b1-4d58-4d2c-96dc-8ab70e168cf0/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92d3c733-b507-4228-b56c-dcda29e96a53
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1319865
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1319865 Sample: SecuriteInfo.com.Win32.Adwa... Startdate: 05/10/2023 Architecture: WINDOWS Score: 64 22 Multi AV Scanner detection for submitted file 2->22 24 Machine Learning detection for sample 2->24 6 joxdmirb.exe 2->6         started        9 SecuriteInfo.com.Win32.AdwareX-gen.3322.13848.exe 1 2 2->9         started        12 joxdmirb.exe 2->12         started        process3 file4 26 Multi AV Scanner detection for dropped file 6->26 28 Machine Learning detection for dropped file 6->28 14 WerFault.exe 10 6->14         started        20 C:\Users\user\AppData\...\joxdmirb.exe, PE32 9->20 dropped 16 WerFault.exe 21 9 9->16         started        18 WerFault.exe 10 12->18         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-10-04 23:06:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk53q6xykef5hmaiybyme7ycf4kdcx2nktz3arvyr7rgrhuizfaq._file
Verdict:
malicious
Similar samples:
4732c2a4e78e5f416cf1d7abf28c1991e45ac8706fbab576b84f0b72d0288d2f
Formbook
8d48b5f989fff5f8f7f654f2d1fa6f8f7e52bcb0a1e2f25b02910ae1861760b6
Formbook
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/231005-c1ad3sab73/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Unpacked files
SH256 hash:
52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941
MD5 hash:
fad548a15140163e9be4f7c7f7a12725
SHA1 hash:
a60d7e702d15eb428745bcefd0bbe440dd722c3a
Link:
https://www.unpac.me/results/18b1a746-60b5-4d87-978e-5596d31c28d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments