MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
SHA3-384 hash:	ce23b4d59379042ec2efaa5bcf80a598f266916a6a4de4cbdd40283c70bc1701ec0c372309194a1c92d5ef56cc52d74e
SHA1 hash:	3a907c34ade6be35c7bc50544e7bea7c69b1b584
MD5 hash:	7c754436428e55a562a264840f7fc7a9
humanhash:	triple-whiskey-freddie-michigan
File name:	Lista narudzbi u prilogu.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	680'960 bytes
First seen:	2022-02-23 12:45:09 UTC
Last seen:	2022-02-28 14:45:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9a208a82f2ac1ed3524405196188a65f (6 x Formbook, 1 x Loki)
ssdeep	12288:wqPCYSx1alrmI6WvcmOEgJCegF63A5WLS2x3pxjsf:wqaVIiI6WvcykBzw5WLd3/j4
Threatray	11'968 similar samples on MalwareBazaar
TLSH	T18EE49D12F0E2D432D15719389D0B6268982ABEF07E2CE48A4FE53F447F356497A1EE53
File icon (PE):
dhash icon	eef2f3969292d42a (18 x Formbook, 4 x Loki, 2 x DBatLoader)
Reporter	TeamDreier
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Lista narudzbi u prilogu.zip

Verdict:

Malicious activity

Analysis date:

2022-02-23 11:48:01 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/c50c0465-7684-4b07-b51b-dcc301e3dc33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/243742/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.13073.15144.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Launching a process

Launching cmd.exe command interpreter

Searching for synchronization primitives

Setting browser functions hooks

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7125/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger

Link:

https://www.filescan.io/uploads/62162c96a2660f3bb92fa7ef/reports/e6fd0499-1a9b-4807-a450-ad64732effe0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09e6bb68-fd15-4dd8-b313-968b3eafd5cb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/944737

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-23 08:18:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqlsnycfrggrlq44cfkzyapcs6x7ekjeutgtkq7azyxdzxb4ej3q._file

Verdict:

malicious

Label(s):

formbook

Formbook

0d6135fd347e16b6257d853b329b335e0d3685625ef96a07241adc3e5ceeea91

Formbook

4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9

Formbook

526f4e19614eb20343647b92758df4c1f9227e77bec90af22256af4b3b091596

Formbook

b1e2238ed835357f061456c7a38d0620cef8b78f0e1a9856133cc5b2805e0ed1

Formbook

c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a

Formbook

d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212

Formbook

f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36

Formbook

fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1

Formbook

+ 11'958 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:3nop persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220223-pzmn8sabb2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Formbook Payload

Formbook

Unpacked files

SH256 hash:

e0f0812898ccc9c325dc08dc1377365ec34bf8b6da18aa90e6b7f7aa2a13c548

MD5 hash:

289caf1027c7b756ce8da53d02485cea

SHA1 hash:

2f583c1c335fd45d56929dcf54c85ec37251edf7

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/81c58729-3d53-4dc8-8d8b-7eee929a5cb1/

Parent samples :

6a7dd66c29530f7ed8f03ebd4b5f843639b34581d2e9ecd85c9fbdfb60450607
8051703485faca901060ae5b39054e5efee88909d2e1d4bb0f65126cda3230c1
1977d11ffc5195546fb8d5d8c660d7553c3961bf87ad4b972ee0cb1794d2168d
d4a859db98f9fd7473592c49c36ac926a2a29b27d7db8fc311f468bf82e64588
f35eab27c7c3c148fc5aec8351e7e5bd612214c91937d9867c8683ea7cde130d
974c776e5c3d20d4e254a4a493757f482931a2c48cdde33c76a0097eafbfdc85
83650c9dbbc1f4c607efa7934674da5f6237b234a81116744288be02cf2ead54
ee2440922354d6be2dce4ab27274ae2cc2108d8dde37837a739a7e2a36e317d5
f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36
fb98f0f50c30ffdacfa3ea67a2990fa5ec2ee2646dc2226179f8589aec41f5d1
5289d529e7d53da3449ddf8400d12ae7622ede25284c2823ed46d0800fd94736
46c2da007a993c4b1ecfa3ff91364bc98341c9c228517eac38b50c4567fb78dc
ea43c71d7ec447e2483c7f0c8488972648209f2b487f2e6e64227d3d729c1d88
23ebe8ce49e895139f26f190d36a37ec52e924db63a995901948f30111efe6fc
526f4e19614eb20343647b92758df4c1f9227e77bec90af22256af4b3b091596
02466f10b00992a56b5fbfd4f8117e8572c2f64b27fd7bed8b51acc159004fd5
d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
d3c632c33688b9d7ae817a7932ddb1a48dbaad0410a681304c6c88211a020fdb
641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
564d91f37b294e7a10fe79495dc9da5ae6733b20f2d7c732ff0c692110b0e01a
ac59a96a7600ffeacec6db910d9ff04e5ddfaf5f325ca41a0c06028a739509da
7391303e2231d2f0143f8b0e86df253054e461a52279139fb800180d32271dbb
03c24fbe7c863e8337b0c944f96847b5166297283727edccca056c4f6f688d4e
c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0
82c24935270870bb35719f35c29075f8bf02894bf81ba28e66983aa2247472a8
7146b418cdd99ac478a67e603bffb10c10f1c32745da1fd60c931f54f1f114a6
a7f53b92008e8a3678035fc366bc1b88d152efc8466e9e82c754752d000a5ad5
d423d7edf718ca00f8410a93834a6f9c99216c3a60860700f1fc6e493fedcc43
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
3bada4f5bcaee92a5979aecaa24326988226e9886815ccba28904d30735fe506
50365c827bd768ec7fdf1a5b688d19ec0645042e92f04dad712a1955e9bb4c8b
e0cee79b01870e15ca64195ba9d953f91173b189b9fb8c45a2bae916dd8f95a5
3fbc9c55133b3d51ba2221836cffc08e727826e9514233706781f897ca0988f3
15bff226310e77a5ff67a9e131c8e5d7ec0686e967e0863dca784f20fd8d0268
3d256cfde83a4560df279fbe2b4ef03ccd52fa13b31bc1daebcb3bed353c215b
03610e21a01afd8dc19c986d69a4c13eeda93fbec0e6eae7828065781ca028bf
6d3ef9ddf5f1d57d353e5d8b9bedbca6ab42765de06abf381534126d24142948
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
3f8e7640849ec23964af23d6e70ccc62510a3cec9bd775b30d18d5db7215a22b
b65b5c308318e1e0fc2228dd022300099273dc340aa8faba81abc1d3868707ea
4195e6b7bfb7263798034048a5a2d34780ecdddae25576e23e9c6b0df9316ccd
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
b3b8ceafdfc6bde8a73c68005414b709ca2b08f5eecfd9a49d769460d6c17c98
67708b9f3764b349b6cdb3d8cef073edc22303181f0a1c6f129ac1dae18feb1d
714e06d12bf6f481cfd3dfa64a13d37c614a759543d87b38ca2c6a03ee936f7a
fa6d0f34d7c69bc4e525cf1830beffa3aec08c9b69aae24f55a6232d89680421
4a59190e199b69f65aa69f2f5f1f6b568d49a052868e2c853b7ea1d70c04a953
5a288a8a3fd0158f2d9e11713cc4eaf951e12e4f196fcea95d74a14fc37d16d1
6c18b064240861b42aa8fadbea5472fdce174a4d2b1510d53cba2b28779602d7
988d086b6ca75da2fca905b090c6f20b21749335f7e2ee99d8dab2001d4667e3
aeb38f72dfa11e848a65cf0814a530e24df08dc818348d9e80978cb330f24af3
90b5404ae697363f350f8c78220428a79ce57b743e5f0eac06137b27fea25400
c1b7572079230fd99c0ca004448f526420c124efbd0e1f6027fb950fbac5e05e
952d3a3e3d19204bf7bb614623aa0d78e0be4ee05b0313c5c68e0e10f6e390e0
f1d8f8c8bb9871fabbd6a001c48bc001c5181b512d2989e87f08280b74ada33b
42dfb1aeb19afac4595bc0146dd42ee251896ea1bf3ea8ab05d4bd28a7edbed1
8dffb14c55c2880b40767aadf5615a6652403d59f357b0b77da3e00b875a0e32
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
2fa540a1679ecd37874e53b50eb4c756223420d5f970c935ce053345f1f231f4
8f9f3e0d7eebe0304aeb35eb75be87c7bfe13859e00851df037f54d14765cbb9
44d963269f8d6e5ec5c15354be28c9078f58eea78943d39eb78c6485dea5065d
55d580190c976f23c945cb65feac487555e1b919079d930fe6201e22b5538905
d7d7882cc702fc76252e2b4fe7cdc7fbffa038e2329e579142e64acf81a26304
c7c0d3e8cd6fb36ceb4b5c2e32b019dd209fdd38fdf1bcb215f973da80437dd8
b0842f8285062f38c030bdd15264ec38fb23624888d135121f1cc11084c765ba
a85b95364a9cfc74c4219a544a20deca3f2a30b666aa1f84073fc1f56e1330b2
42cbad41d36d2c0f5ae498e89024822907894f02e173802d6e96dc57f0bff2ef

SH256 hash:

641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277

MD5 hash:

7c754436428e55a562a264840f7fc7a9

SHA1 hash:

3a907c34ade6be35c7bc50544e7bea7c69b1b584

Link:

https://www.unpac.me/results/81c58729-3d53-4dc8-8d8b-7eee929a5cb1/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/641726e04589/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/243742/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample