MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 1 File information Comments 1

SHA256 hash:	53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81
SHA3-384 hash:	5f16eed13a6e6a650acebaa305595986136da27418e6f2ad41157a9bead8327324644b4aa9d0ddd249f777bddf18308d
SHA1 hash:	a27545f9f552769d83c2aa846d79cd1252ed7ca3
MD5 hash:	923b2cf57335ee5730c03f793b9b465a
humanhash:	tennessee-hydrogen-avocado-king
File name:	923b2cf57335ee5730c03f793b9b465a
Download:	download sample
Signature	Formbook Create hunting rule
File size:	361'149 bytes
First seen:	2023-07-04 07:57:34 UTC
Last seen:	2023-07-04 10:32:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:vYa6VB0R719FRWlAQR/P9Zpim8lMvGMsAzKDv4Wkm2wG+8p9rNvQr/zh/QCM9OF7:vYnyR71H4RsmaMvX+DAWkZMCVKzhC9It
Threatray	3'361 similar samples on MalwareBazaar
TLSH	T16174120414B290F7E8A38B325C39A7A48AF6A71704B5671B67D03B0C7973691D63E7E3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

order703233.xls

Verdict:

Malicious activity

Analysis date:

2023-07-04 07:04:39 UTC

Tags:

exploit cve-2017-11882 opendir loader formbook xloader

Link:

https://app.any.run/tasks/3acad60e-8ea4-4c10-91c8-8c4aae6483f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/406310/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.23876.13565.14285.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95486/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64a3d10b204315fbc16cab2f/reports/c082a0a3-3d59-4c93-8d16-ac9a4ed344d2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb3b63b8-fa64-42a4-a0a8-8ca3f279ff5d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1266448

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-07-04 04:28:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ko5q6kjxgpfnx5vvobgnanm3mgwkuy3h5nesncifofcjfu2536aq._file

Verdict:

malicious

Label(s):

formbook

Formbook

596582af66790eee7160b485c4fa5d060b3c820af83343fe4c12fa360043a09f

Formbook

68ba26474bb29bdbc42cfddd75f212eec1ffa22d5c1affc893addce5330f4e11

Formbook

7be1b5e4e93c8fc4f3ea7598ae04c355bd1b9ed369819a327f4a3ca3c2978c09

Formbook

87f7348a8731af0346cfcc709488d0831a95236f554d2f8a50e12eea1ceb6764

Formbook

bb5df98c2c7bc29973d2f2eeb67ce8b7a2f9da4166fabe5dfd70e5117e404991

Formbook

cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca

Formbook

ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3

Formbook

e54d5060f522ac4aae58c95d299bff21e5e6e014c941cd0a9e88485ea29e4ebc

Formbook

facf2fbbac21edd7550d00e6f6916f9ee598f9c3bdc2ca0feb288c139d687672

Formbook

+ 3'351 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m42i persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/230704-jttygadb31/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

6a6d1e38d6cf19d9e006fa09b9d4ad1ae6dea89f72dc5a0bf74f9cadac6fc69e

MD5 hash:

1a3a42eb12c818f6466c5be494618123

SHA1 hash:

0573135d01872f45c9532887d9fa702f752590f1

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5195e83f-c496-4b43-a173-c8b471b69ab5/

Parent samples :

87f7348a8731af0346cfcc709488d0831a95236f554d2f8a50e12eea1ceb6764
68ba26474bb29bdbc42cfddd75f212eec1ffa22d5c1affc893addce5330f4e11
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81
02ffa3a8856091ec637bfe8f4155eb49d3ede06df0cf2e83b828f5b27c983627
210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b

SH256 hash:

307825cea8af6c41025578bbc6272e561579c38c2caad845453cfc9008c04932

MD5 hash:

742832ba3c099d07751e6405cac76dd4

SHA1 hash:

42eb205c6f3a3b11bb1df8b2e1e8ae1e1505770d

Link:

https://www.unpac.me/results/5195e83f-c496-4b43-a173-c8b471b69ab5/

SH256 hash:

6a6d1e38d6cf19d9e006fa09b9d4ad1ae6dea89f72dc5a0bf74f9cadac6fc69e

MD5 hash:

1a3a42eb12c818f6466c5be494618123

SHA1 hash:

0573135d01872f45c9532887d9fa702f752590f1

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5195e83f-c496-4b43-a173-c8b471b69ab5/

Parent samples :

SH256 hash:

307825cea8af6c41025578bbc6272e561579c38c2caad845453cfc9008c04932

MD5 hash:

742832ba3c099d07751e6405cac76dd4

SHA1 hash:

42eb205c6f3a3b11bb1df8b2e1e8ae1e1505770d

Link:

https://www.unpac.me/results/5195e83f-c496-4b43-a173-c8b471b69ab5/

SH256 hash:

53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81

MD5 hash:

923b2cf57335ee5730c03f793b9b465a

SHA1 hash:

a27545f9f552769d83c2aa846d79cd1252ed7ca3

Link:

https://www.unpac.me/results/5195e83f-c496-4b43-a173-c8b471b69ab5/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/53bb0f293733/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.