MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672
SHA3-384 hash: f348695b1867622be0f41576341fdb4c26d6712215fcb9c3958aac53d18e5137555dbaef40e6adec7308398d0d55bdd9
SHA1 hash: 19003913d74d3cd4159f508649af3b38ca444b39
MD5 hash: f64d3ab3885e476d043038fedbc500d4
humanhash: mike-yankee-oranges-helium
File name:f64d3ab3885e476d043038fedbc500d4.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:359'743 bytes
First seen:2023-04-18 05:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:BYa6WIu9pKmvF7u3g9IMuawzLdffFrQ0OUYrPnr8VwpiEZE:BYRu3KmvF7u30IBZlffupN/IVwpiE6
Threatray 2'642 similar samples on MalwareBazaar
TLSH T1C074DFC5F95090A5DC2A5371263BCD316A13BC3E86B4290E2BCE3E7B3FBB452941A553
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f64d3ab3885e476d043038fedbc500d4.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 05:53:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a72f2408-1dfa-46d5-929e-d8d8d3d813ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382925/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80149/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/643e307e48716a65fb203fb3/reports/a3c5996c-1dec-4fc1-8501-6ff3b5663c3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81b91ae8-e764-4efe-9353-744399a15dc9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215649
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672/
Threat name:
Win32.Trojan.Garf
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 12:08:31 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5oqm5ld7piigz6kxghztqo34qsfm75gjvcegr5uzuyxexf66zza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43
Formbook
2666d6497d3cc713c61afcf15370f3f4efd89e1dd719afcb99c1184236b35112
Formbook
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
Formbook
3ab1320757d68dbf0e5eb5d31cf81247952c244bbfbda9466cd83d112efc2c72
Formbook
407cca2ad9433a2a222f9ab1ce14060bf6d5a5c041dc8d2b545257fd0be9e8b1
Formbook
5efbfab2a58f8e0b0c7d135fc020b123234ee1c56d81ecb760b3bae95db34e60
Formbook
7421357a93e7c44d80dd1fca3c0359e23b98c590722ef09ee940766fb5252fdf
Formbook
804b5ea31eb2d266580093c2a144a1f62ef1ba88e39d2de9d79bbad405408197
Formbook
a21c6c623959c4995842ace85f7f5a7e3751c4930d28ebad92c7a737a7f8cfb8
Formbook
b6b4defc23fd79807ed6c5a4e2a111465c3e444a6efd07e837fcfffa4a19b688
Formbook
+ 2'632 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230418-glw2rabe8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e99dd11d36fc6475b29ce8d12e8d24a0afe746f92d4b595bac6eb7c6c60470ff
MD5 hash:
5b34c24fa85fbc2cc641ba60ca326396
SHA1 hash:
3aecbae4592c4bebcc062f3e6f3c211f292b592c
Link:
https://www.unpac.me/results/0b03e936-8223-416d-981d-a232d4c152d3/
SH256 hash:
6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672
MD5 hash:
f64d3ab3885e476d043038fedbc500d4
SHA1 hash:
19003913d74d3cd4159f508649af3b38ca444b39
Link:
https://www.unpac.me/results/0b03e936-8223-416d-981d-a232d4c152d3/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f5d067563fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6f5d067563fbd08367cab98f99c1dbe424567fa64d444347b4cd31725cbef672

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2581830/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382925/

Comments