MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f
SHA3-384 hash: 1655274c064246ca968d51790a8c7dd36a4ab8288063eeb919ac59169d0898b53ffdaf15ade9f60fddfe7f9753cbf4f2
SHA1 hash: f4c8941e3e4043f0afaa2aa07391dd7778b53213
MD5 hash: ab100440eb2f6d2dca4ffaaa5bddf471
humanhash: mars-island-eight-sad
File name:Certificate prior shipment.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:532'896 bytes
First seen:2023-10-09 16:40:17 UTC
Last seen:2023-10-09 17:51:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep 6144:qXFKo5/YOiQKBhG/Z0spja5b3WLV/fPOeltCX/X7zsbtRIUGuPi/Qc+ibs0VaL0p:qXjYOQBc0b3MVnPOtcb3IUbqo4mNI
Threatray 1 similar samples on MalwareBazaar
TLSH T142B4D06322564C43F2A187BA3777A48D4B117CE42D39DD9D2372B78D237AC81B13A62D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 006ce8e8fcc8d14c (1 x Formbook)
Reporter smica83
Tags:exe FormBook HUN

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.28829.14705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45eb9d17-d8cc-4d84-b809-e7041459fc51
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1322317
Signature
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1322317 Sample: Certificate_prior_shipment.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 96 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 50 Machine Learning detection for sample 2->50 10 Certificate_prior_shipment.exe 17 2->10         started        13 Certificatepriorshipment.exe 2->13         started        16 Certificatepriorshipment.exe 2->16         started        process3 file4 42 C:\Users\user\AppData\...\upevnrujuj.exe, PE32 10->42 dropped 18 upevnrujuj.exe 1 2 10->18         started        64 Multi AV Scanner detection for dropped file 13->64 66 Detected unpacking (changes PE section rights) 13->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->68 22 Certificatepriorshipment.exe 13->22         started        70 Maps a DLL or memory area into another process 16->70 24 Certificatepriorshipment.exe 16->24         started        signatures5 process6 file7 40 C:\Users\...\Certificatepriorshipment.exe, PE32 18->40 dropped 52 Multi AV Scanner detection for dropped file 18->52 54 Detected unpacking (changes PE section rights) 18->54 56 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->56 58 Maps a DLL or memory area into another process 18->58 26 upevnrujuj.exe 18->26         started        signatures8 process9 signatures10 60 Maps a DLL or memory area into another process 26->60 62 Queues an APC in another process (thread injection) 26->62 29 EjNoSddShJqawXIzOaOGRWW.exe 26->29 injected process11 process12 31 svchost.exe 29->31         started        signatures13 72 Maps a DLL or memory area into another process 31->72 34 WerFault.exe 4 31->34         started        36 explorer.exe 2 1 31->36 injected 38 EjNoSddShJqawXIzOaOGRWW.exe 31->38 injected process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 08:11:51 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 34 (64.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjraqxcah47jc6qf5fencypd5imvbn7tg6wfx5ujgm2r3pss747q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
42c0bbf88390cafcc303696b01420c9233df8822285de01dd73a1dfe8b5b11d8
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231009-t6321see91/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e14e053bceca6b493739db237f260fa5a75c456c73cb8cb9d9c6777741cd2063
MD5 hash:
6a96c20a0d71ee9a98505f51be3f6937
SHA1 hash:
2974bb64c827a3ebcf481325432ea2ae4fb980c9
Link:
https://www.unpac.me/results/bdc9da72-5482-47d6-b8b3-e704450a642a/
SH256 hash:
c9db455b0d2ba9461dcd9d9999bff9fd548845e3efe03b0bda91b294816f9eeb
MD5 hash:
688fe4a476a696197d4afd5490083417
SHA1 hash:
9767e4728084c4a7ee1f1c972d27c6a5e613afe2
Link:
https://www.unpac.me/results/bdc9da72-5482-47d6-b8b3-e704450a642a/
SH256 hash:
4314529810dc1f94f7a4ff648e95e42dc35430abd3f66169da298b7d0e5dfd1b
MD5 hash:
6debb2f8c3ac3f67c4faac77e562050e
SHA1 hash:
36afe95549dcb407298d8a6fac2cda0b7e8e9d9b
Link:
https://www.unpac.me/results/bdc9da72-5482-47d6-b8b3-e704450a642a/
SH256 hash:
6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f
MD5 hash:
ab100440eb2f6d2dca4ffaaa5bddf471
SHA1 hash:
f4c8941e3e4043f0afaa2aa07391dd7778b53213
Link:
https://www.unpac.me/results/bdc9da72-5482-47d6-b8b3-e704450a642a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6262085c403f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6262085c403f3e917a05e948d161e3ea1950b7f337ac5bf68933351dbe52ff3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments