MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5
SHA3-384 hash: 343dbd886fb0b2ab6840202a52e9e20f5bd59066e81ff91f697c158c3d1bebb856398979b33428a68b70d897e1d37823
SHA1 hash: 153b08ad6c204f467f7474926e85d5c05eb037e8
MD5 hash: 35d246695f2bca9c07c187a2b41ca7e3
humanhash: london-mountain-eighteen-potato
File name:35d246695f2bca9c07c187a2b41ca7e3
Download: download sample
Signature Formbook
Create hunting rule
File size:454'656 bytes
First seen:2021-08-19 15:22:18 UTC
Last seen:2021-08-22 19:13:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a6a4e4bd5f8e05c24b3a4f78eb46b1e (1 x Formbook)
ssdeep 6144:UcaJPbmXH5F2pO8z4kf+uy4Ln1QiBSTfMoPXD2u20/7AZRnLIuLenLfHv:U96XTwUYNb1VoTfMoPX6U/7AZZDLeLf
Threatray 7'348 similar samples on MalwareBazaar
TLSH T1DFA4017360190BAFC8391272192A8A6F2F7F987305165442B2FD7558E1E72C0877A7FB
dhash icon e88f080c0c088be8 (5 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO20210819.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-19 13:03:49 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/2488f218-bb24-442b-9ab6-02edfdeaf3d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180736/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.26902.16550.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d217319-f1f6-4122-98a3-3fbe763d8c4a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835899
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 15:23:11 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947
Formbook
395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
5e03e3c0687c08d09b2a00cbd68c0965fb690d3d9cf1d3aa4bf48725f56ce0e0
Formbook
644b959318e7825454d8cdd4af75ddeb489c94a7754da360d4cd155bccc3a669
Formbook
7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c
Formbook
779eeda6d0720fba8df941954d1bd4c04d4b60e1488b562ec2a77c37c72796c4
Formbook
c6e3758af9817c19a3c8a5e0c0b19bcd59971d1b2b4c813862bbeb716d87931c
Formbook
ffeb538e279b53ac314ec71da8a83ffd3693cf31cd3705e23579c7f20d182de6
Formbook
+ 7'338 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210819-xlcs79ja8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5
MD5 hash:
35d246695f2bca9c07c187a2b41ca7e3
SHA1 hash:
153b08ad6c204f467f7474926e85d5c05eb037e8
Link:
https://www.unpac.me/results/5e316a32-1c03-4f25-b493-c2781e4211ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 69747996584aba2690d04958b5e2d6446107ae702a0053fd28c8073b4d7c8ad5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1546395/
Cape
Cape
https://www.capesandbox.com/analysis/180736/

Comments


Avatar
zbet commented on 2021-08-19 15:22:19 UTC

url : hxxp://172.245.119.43/d/skin.exe