MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044
SHA3-384 hash:	15a012e650c0d9a39c8de529a5cc289c31834087d7e474a35adabf8e3d5fb83e21ce030ce24fe5696adf1b88f68abf56
SHA1 hash:	a88aa654e898c10cb678bbf7651eeefeb31f73ba
MD5 hash:	3e4a1eeea0b92fbe4d53fb0cc057a48b
humanhash:	one-item-spring-salami
File name:	SecuriteInfo.com.FileRepPup.23409.8938
Download:	download sample
Signature	Formbook Create hunting rule
File size:	289'280 bytes
First seen:	2025-03-07 17:07:30 UTC
Last seen:	2025-03-07 17:41:41 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:bduXBAAwGSD+ALyZqm+TE9ODvYsItuhiEvUbK71S59CTbc1oQdU:bIxnTJ1meODvYNWvoo1Ucbc8
TLSH	T1F1542354CC9BC111D28A82B04F0E37B19CDB77CEAAAD17917630A883DD88E34F5AD51E
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

452

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.FileRepPup.23409.8938

Verdict:

No threats detected

Analysis date:

2025-03-07 21:28:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/23b387a2-2a26-4770-9a53-aba2bc50d5b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67cb28c3c668b65489bfdff7

Tags:

injection virus zpack

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypt microsoft_visual_cc overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67cb28043c5f644bd948235a/reports/93a0b1a0-2aba-41ea-8c4f-0f14ec71a0b3/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d150d899-dfa1-4a48-8427-6b2e32248a8f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1632056

Signature

Antivirus / Scanner detection for submitted sample

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-02-24 15:34:26 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lyyavxj4k634cxmvwefd26u2yznvl6k4rywmcgstc36lzdacobca._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250307-vnlkpatqy8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/acd401bc-f4f2-404c-a4f1-6f191c17be85

Unpacked files

SH256 hash:

5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044

MD5 hash:

3e4a1eeea0b92fbe4d53fb0cc057a48b

SHA1 hash:

a88aa654e898c10cb678bbf7651eeefeb31f73ba

Link:

https://www.unpac.me/results/8204a25d-690d-4b6d-810e-8688189a8fa0/

SH256 hash:

e990b85299c5ee307300bd45ee1582b23aebb1e22179238a71697b662ced5bde

MD5 hash:

0644b1484ae7cf789f2cc5e5ad5a622c

SHA1 hash:

74db5d6af7c4a84575ddf3f36ab1d60733cf9d66

Link:

https://www.unpac.me/results/8204a25d-690d-4b6d-810e-8688189a8fa0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5e300add3c57/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 5e300add3c57b7c15d95b10a3d7a9ac65b55f95c8e2cc11a5316fcbc8c027044

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3470545/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample