MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a
SHA3-384 hash: 2febd11fc5b4828e4333f76339f01e573e697a5f32682c70fe991be1931eeb13a8c09f446e8ffc818402cd0aed737a06
SHA1 hash: 9082c2a61e484169458b897b2b6a424afafd3abf
MD5 hash: 6c3fc18ae8c7588ddf51da5653fdba9d
humanhash: uncle-stream-kitten-foxtrot
File name:SecuriteInfo.com.Mal.Zlob-P.20040.1694
Download: download sample
Signature Formbook
Create hunting rule
File size:237'454 bytes
First seen:2021-03-15 19:51:13 UTC
Last seen:2021-03-15 20:43:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 6144:qTqjFkJwvAk08aFn9YiTPS+xokWX4HEzbLQ1:GhJOAkwFn9nrD64cU1
Threatray 4'234 similar samples on MalwareBazaar
TLSH A1341296A7F0C4F3D96F89B107B29239F737D3915213AC9387804F7E29A4856870639A
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Narudbenica 130321.doc
Verdict:
Malicious activity
Analysis date:
2021-03-15 17:03:55 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/6545f634-e233-4f61-a858-e40d6f4dd101

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Mal.Zlob-P.20040.1694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36defdc8-5197-4b4d-9c22-d10429480732
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640009
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-15 17:42:32 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
Formbook
11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd
Formbook
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Formbook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
Formbook
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Formbook
adcc2671f1168261ceace2da6f28a79e0b3bc2f774fac1d79f4628f494951d24
Formbook
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
Formbook
b7d74de8e9514ca3fbfa4676be4433069bc913f86953a79d40c6272d5077242c
Formbook
db351de507bfb075469e69ffe4859653ca3b3d0729c0236a5d3f8fd935e01cde
Formbook
f39b9e8c4a9aa6d8cd9f069e8a8ee81a3f666e07071f2b4673aa42633026736c
Formbook
+ 4'224 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210315-f16y3ea5q6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bigmikecon.com/nang/
Unpacked files
SH256 hash:
f5ba1e8875dd71c1cc08de098d0a674a053e5be2e03c9739815f679b9cb65014
MD5 hash:
4a60aa377b3c662097685c3c27ec5d8b
SHA1 hash:
ab2337fa4533537cb85dfaac95e1ae1da35367fb
Link:
https://www.unpac.me/results/56a6dc2b-caf7-4596-b58b-7b3c430b2236/
SH256 hash:
66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a
MD5 hash:
6c3fc18ae8c7588ddf51da5653fdba9d
SHA1 hash:
9082c2a61e484169458b897b2b6a424afafd3abf
Link:
https://www.unpac.me/results/56a6dc2b-caf7-4596-b58b-7b3c430b2236/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zlob
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1069296/
  
Delivery method
Distributed via web download

Comments