MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61f0f1442cc29e258378687f8a03c7b5a07785bcffe03aa4fb8a308246060ca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	61f0f1442cc29e258378687f8a03c7b5a07785bcffe03aa4fb8a308246060ca5
SHA3-384 hash:	6914c4a17ab5f4da926325e7c6895952cf2793c9527c798d7be6118e0cec4a57db4af6005b26e19087002c32f3ad553f
SHA1 hash:	81e4d0248b2e1f9e83151ea43e47b00fcfc9dc58
MD5 hash:	22f37acbdee3a24526a39d658b2555a4
humanhash:	kilo-blossom-kansas-colorado
File name:	DHL 영수증 문서 배달_871209,pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	270'537 bytes
First seen:	2022-01-31 13:28:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:TwkNZa0qzmgDwhvH1LNomGhRi2PfnVZo+hTOTJm+xG5O:/bNJoVni2PMCiEQG5O
Threatray	13'220 similar samples on MalwareBazaar
TLSH	T1B4440292E1C488EAE8551A3018776B3AD27BAD983FA5161F4B283D7877371C3053A54F
File icon (PE):
dhash icon	003171630385d500 (6 x Formbook, 5 x RemcosRAT, 1 x DarkCloud)
Reporter	malwarelabnet
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/228453/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f7e422d7fd65ae55fccff3/reports/fc8df6a1-2872-4c93-a4d6-20c72ca3d5e2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf83fc55-648a-477a-92b1-52ecba849a62

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930864

Behaviour

Behavior Graph:

n/a

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/61f0f1442cc29e258378687f8a03c7b5a07785bcffe03aa4fb8a308246060ca5/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-01-31 02:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mhypcrbmykpcla3ynb7yua6hwwqhpbn477qdvjh3riyierqgbssq._file

Verdict:

malicious

Label(s):

formbook

Formbook

081be32fe752d7e270c45f1d7a71889aa4452a590963da8dd75e3f26861ddba8

Formbook

2ef455592017e10cdda6c9a0378a35c232d90ad98d601ca2a1eccb64279fa97e

Formbook

39719289d429bc644b0e8d093e86729d45d4c6449aa615fe142efb5ec86eba69

Formbook

3ef87bd378c364fe42e2a46547baa7b5683716328eaf8c1e3bd74050becb83a3

Formbook

502303edd5a9de57b3667146e84f15fc4957242ca2ef8f75f5e503946c452ee2

Formbook

5bb063ee2622e4f4e0d61535b8ddc6acd3e5674d4ef098bb4b595f1bb61b847e

Formbook

71bad0685e5b2447a8dcdc960ee2930ad5ec4910d5d449040fb52cb9754df2a2

Formbook

9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30

Formbook

+ 13'210 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/220131-qq8qsahgh3/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Drops file in Windows directory

Sets service image path in registry

Unpacked files

SH256 hash:

61f0f1442cc29e258378687f8a03c7b5a07785bcffe03aa4fb8a308246060ca5

MD5 hash:

22f37acbdee3a24526a39d658b2555a4

SHA1 hash:

81e4d0248b2e1f9e83151ea43e47b00fcfc9dc58

Link:

https://www.unpac.me/results/46a757f4-80eb-4b89-a97b-aa771f432f1e/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/61f0f1442cc2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/61f0f1442cc29e258378687f8a03c7b5a07785bcffe03aa4fb8a308246060ca5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228453/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample