MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe
SHA3-384 hash: e9adf1bdc673650ee08f6d3ce2bfad0bb92c0aed1fb9b85eb9b86daa86a7d357f6eb1723a2c98c7fa12394b0db9572c7
SHA1 hash: 5cc7c15ecf502df61c2edd0ad5cdc1f3ce156ed1
MD5 hash: 87a279473871f4e4c4b1fb33e9ca74ea
humanhash: jupiter-south-seven-west
File name:87a279473871f4e4c4b1fb33e9ca74ea.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'284 bytes
First seen:2022-03-22 18:48:38 UTC
Last seen:2022-03-22 20:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiiGW9jRnMD5fAk+VqdFELgz7Cp7ClK9Yu47s+b1iT9k:uG+ZGX+cQLqueMk
Threatray 14'331 similar samples on MalwareBazaar
TLSH T15D341203FBC084A3F78106351E729BB8EBF945CD3279950B9F841FAD6638A535766702
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255074/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.3216.27697.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623a1a3a0cd58dbd92d8aee0/reports/0af38e09-9aa8-4bd5-8e01-238a3d000dd9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fc18c38-c48e-4e71-916b-96c1fa8538f4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962079
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 18:49:15 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4zubz63lmeckt7zl4bph4xmzgze3mpyzm25oxop7zy5nm25ot7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1363922a984440ab7ffb7f1f4872704bc6a96008412d399728b20cc8cb1e4abb
Formbook
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
Formbook
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
Formbook
4a0e9c1b5c23074112d8c5845451f43017d09ec024f1d993854e2fd43f8f2814
Formbook
4d11816de1a6429b0fa2f9754f7e51e45a6afb350ddd5b806974b629e8fc6fc3
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
c0078989fb64c7ba984ecd27b278d85ea5168720c4f7993265de461f2fbeca1c
Formbook
c61a915c345d7574f2730043bc34dbed169ccc9041205546bab4e60d5c0f21e1
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 14'321 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mi21 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220322-xgcejsdbap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
568f5c68f0defd4f6eede076d07f525a4272602b1d3658afe0891c8c3ffcb8af
MD5 hash:
7aaa1e833dbb513cb5bb0a8c04aca366
SHA1 hash:
3f3054111a1bfc65fbc4759210afd430f44512ec
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5b6707f-e6c6-44a3-accf-e21296f55887/
Parent samples :
573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe
308d882a5267dc2b1e74498c052ad6f0ba7e29544f8872600586b9d2dfe798f9
SH256 hash:
2036a87e148df4bb47851d81582c072ed37fa877eba741daeef6109ac03c19d0
MD5 hash:
ce19b217c25aa5bc81a0075aa0c8f32b
SHA1 hash:
f74f46f1179b99c886bec9373a552217ea1d0bed
Link:
https://www.unpac.me/results/d5b6707f-e6c6-44a3-accf-e21296f55887/
SH256 hash:
573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe
MD5 hash:
87a279473871f4e4c4b1fb33e9ca74ea
SHA1 hash:
5cc7c15ecf502df61c2edd0ad5cdc1f3ce156ed1
Link:
https://www.unpac.me/results/d5b6707f-e6c6-44a3-accf-e21296f55887/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/573340e7db5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 573340e7db5b08254ff95f02f3f2ecc9b24db1f8cb35d75dcffe71d6b35d74fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111144/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255074/

Comments