MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 21 File information Comments

SHA256 hash:	627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4
SHA3-384 hash:	7fda3be87c3e62f4ab4dced9352622c67aade7d6467dd97e759802da0b5bf028b3646e02ca2b80c7e1b00606b25f5752
SHA1 hash:	0216a2e4a22b2fc94bf453d41a62bf9796cb0694
MD5 hash:	a8f98d5d06a1c85fb42d380cf182e4fa
humanhash:	bacon-edward-freddie-arkansas
File name:	SecuriteInfo.com.Trojan.PackedNET.2574.4978.16149
Download:	download sample
Signature	Formbook Create hunting rule
File size:	887'808 bytes
First seen:	2024-01-09 13:21:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:lgDXkJgZsXrnc3yejWXakki2Tsz9EinNHrdQqoZ6mOxjGoVTDzEZz:lRaa0RkATG99ZdQqscjGoNDw9
TLSH	T16A15F16802F49E2DEAEF077DE5A84110C7F43992A113F79D6E9080AC2C737A1D9563E7
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

bomb.exe

Verdict:

Malicious activity

Analysis date:

2024-01-09 12:04:45 UTC

Tags:

opendir loader payload evasion stealer redline phorpiex trojan stealc

Link:

https://app.any.run/tasks/4e30dc17-a1da-425e-9ec5-7f43873f4b5d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/470035/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.2574.4978.16149.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control hook keylogger lolbin macros-on-open packed

Link:

https://www.filescan.io/uploads/659d487b8369fab94de8b307/reports/97603b71-1fc7-4000-9039-5f0523c746ae/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eef9123f-e1bf-462b-9826-b0ae6b50be28

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1371789

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2024-01-09 13:22:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 37 (27.03%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mj2rlnr3y6zov77rurpj23we7hzk2ldy5ud2ubcnb7udn3kisssa._file

Verdict:

malicious

Label(s):

formbook

agenttesla

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240109-ql79fscgg5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

f76c9df2a22e18f908b6a18310a614fe4cb12455de424f35ecac01cface5adf6

MD5 hash:

4895d68232c7db725b79ea225219e6eb

SHA1 hash:

a3d4ed70783079142d6941e36c4e5ec4b4af8e28

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

SH256 hash:

3363dcb868cc0208ec0549958076ad8569a1c19de4409ffbac91d7f92f082359

MD5 hash:

69209005d5bff76f7133bdfa9840aded

SHA1 hash:

5c210164a3cffab96cb8dbcc00acc1f79f48b7dd

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

SH256 hash:

cf0062ddf592f40ba6c03657c75bb2e7ee4803e8631a019eb3198abf5b317226

MD5 hash:

42134fd9fed24132b0dd8499259ba6f9

SHA1 hash:

81e839befcd6dff3d95ece60ff86a6a332e56892

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

SH256 hash:

7adc832e34a587bdd4df614ddffbeb3b83eba9f00982f9b67de30a1b6584a3f3

MD5 hash:

300437543ef4b9c48d617a4fe3f0d1e6

SHA1 hash:

5b1475cad687772b06e91c13c86fe2b8ee730fc4

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

SH256 hash:

21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818

MD5 hash:

440bb4db146ccb1161ac2bcf365d7676

SHA1 hash:

506eda511b46df6e95d86861e70fda81307f8623

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

SH256 hash:

627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4

MD5 hash:

a8f98d5d06a1c85fb42d380cf182e4fa

SHA1 hash:

0216a2e4a22b2fc94bf453d41a62bf9796cb0694

Link:

https://www.unpac.me/results/25763887-70d1-42d5-8ba0-51f9f3a8a93e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 627515b63bc7b2eafff1a45e9d6ec4f9f2ad2c78ed07aa044d0fe836ed4894a4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2747432/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/470035/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample