MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments

SHA256 hash:	571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0
SHA3-384 hash:	c76a46bd6acc9d11fd7e295dd9f460b0ca2726b34c3d610e27bb8e22655b8b08b83e681ec19e78aba1f24fa8188c591c
SHA1 hash:	e599416ed7acde096b1cc539cc2cb918af6f8451
MD5 hash:	f206005aa256bbbb936599ed750bc39b
humanhash:	lion-wyoming-venus-wisconsin
File name:	FMBO09876789009.bat
Download:	download sample
Signature	Formbook Create hunting rule
File size:	483'840 bytes
First seen:	2023-10-12 15:12:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Uok4fD2S+Z53C2mPhERgn11gebhZgVKNEk6ceXz6:Ud4bzm5S2mPGKrgYhS8yk6L2
Threatray	79 similar samples on MalwareBazaar
TLSH	T129A4CF3261689F5DE6268BBC835297DD46EEB9167100DA1B0D8A33CEE2F3F005511BB7
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	bat exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

FMBO09876789009.bat

Verdict:

Malicious activity

Analysis date:

2023-10-12 15:16:05 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/00c5067e-b73e-45a9-94c4-c926becac4e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453886/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.62058.28200.8844.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Launching cmd.exe command interpreter

Sending a custom TCP request

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/65280d00a29a700213a0adee/reports/a01f8f49-1f01-480a-ab91-51a75ebc2115/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9cbe4d21-8ac5-43e0-ace1-a21451068316

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1324792

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-10-10 03:14:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4iribtlhbsbsangu4gpcd6iydlecz5qtqraygnmvv6rkucukxaa._file

Verdict:

malicious

Label(s):

formbook

Formbook

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875

Formbook

795998e9064cb981d6a40a34fbeee48381121ea7ac7175ffe5b506b11cf843d7

Formbook

7da9294ba554d4c17ed9e4caac9836e303980814c7898b422ccde7a246ac26a5

Formbook

b88b53db5c1fd0779cb7718630d7ac90f0ff81cfc7e8495bff1325743adeff65

Formbook

bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3

Formbook

c1aa65f7c2cc6beb7052c8ada46a3139fc01da66890f4153a7c5761292b71d61

Formbook

+ 69 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231012-slrb2saa39/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

3eaf81a5357608534db98697c67c0fd97b07cf78d174e17fbe9896146f9929c5

MD5 hash:

b0f51b21dfd8e80b9978a30d7b449c81

SHA1 hash:

383da954875027f6b1e297cd718e6b3c9382c213

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/f8ebf56a-2404-4c61-86dd-ad11eb023c42/

SH256 hash:

2df81b7a7580dd8099502f1caaf6ecf3af80d9b04ffe32cf2ac7834d944cc1f2

MD5 hash:

4cfae6afed1c1626499592c0d6711f93

SHA1 hash:

9f41bbd487e22867d3942e0db7a394ae00a69009

Link:

https://www.unpac.me/results/f8ebf56a-2404-4c61-86dd-ad11eb023c42/

SH256 hash:

e79d347a3b5031cd6793d876b012efbde4972e8da31866a808967cb3fcae7213

MD5 hash:

edd273ac8fbe2c0730ad111a49603f1b

SHA1 hash:

1f649776aaee64c6bcfd571a6626684c1e8d9dd2

Link:

https://www.unpac.me/results/f8ebf56a-2404-4c61-86dd-ad11eb023c42/

SH256 hash:

571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0

MD5 hash:

f206005aa256bbbb936599ed750bc39b

SHA1 hash:

e599416ed7acde096b1cc539cc2cb918af6f8451

Link:

https://www.unpac.me/results/f8ebf56a-2404-4c61-86dd-ad11eb023c42/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/571114066b38/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f609fadaf5ca61427c6879de2cbf6d4e6c26dc2c77292bdca49a50b020cec397

Formbook

exe 571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0

(this sample)

Delivery method

Other

Dropped by

SHA256 f609fadaf5ca61427c6879de2cbf6d4e6c26dc2c77292bdca49a50b020cec397

Cape

https://www.capesandbox.com/analysis/453886/

Dropped by

MD5 688c10142fde7b15a6d2bc65dea1841e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample