MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d
SHA3-384 hash:	8bd174aceb8622199bd3eb7cb01bd6e6dd47ef52dfce2953cf3d2b86e1ef41cf82f2aa69ef3df9e1719b200341a380dc
SHA1 hash:	d74cee87fd48e1708bc0f9b69594fb1451cedf9a
MD5 hash:	82c9a5f1e5215ce3e1d571a5725c038f
humanhash:	pasta-finch-stairway-carolina
File name:	702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d
Download:	download sample
Signature	Formbook Create hunting rule
File size:	185'856 bytes
First seen:	2023-03-08 11:23:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:AOf5H7753mJo6uw5lTVHJuvVvFbDo14V4kDCpBlHTSHlMJgZCtdr1Gg6WZ:AOhHtm9uiJuN9gvBlGFMekfpuE
Threatray	2'282 similar samples on MalwareBazaar
TLSH	T1090423484DDAC323C3BE85F0A82E5179D9223F2E54753881EEB36D71D08E6EE70A8D55
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d

Verdict:

No threats detected

Analysis date:

2023-03-08 11:22:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/69d9cb60-7774-44bc-86b0-856a52f48ecf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/372532/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed razy xloader

Link:

https://www.filescan.io/uploads/64087055f1a68c396b2da9a1/reports/134a5dab-d9a7-4933-98ae-92588607cd91/overview

Verdict:

Malicious

Labled as:

Ser.Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4677b83-d6ba-49f2-874a-abbb5ee9c8c6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189359

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Deletes itself after installation

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-03-08 11:46:03 UTC

File Type:

PE (Exe)

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oavmwbbq6eb7vafsn52mljv6whpdlnwto6nomvup4f5mo3altagq._file

Verdict:

malicious

Label(s):

formbook

Formbook

459aa22827ed6a13af8399cf656ba76b1f9539edb3085ff3256804e111f52c9e

Formbook

615349f7344705307b2316dee1177a887390195e85d692069fb2c74def5a4ece

Formbook

6962c8773218a9a75d08204d9f509f32f21ec96dfa1c5bea5bd9345d8abba98c

Formbook

93827cfecf4525a58bb7e1214ed62faf17d6b2831b0e7da4ce5cdbdecfbf2261

Formbook

93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e

Formbook

9994b20e500ad5c9973f3627d3b9225b7b7b6f9ef2c5dd37b93d71a8e479007c

Formbook

a803baeae3e3a6d11b39b8a3df5bd4454fb50a3d950c19071e7f8d4ecd545237

Formbook

caf42d835224609c61dcc1b6ddfcf517e47088e750ee67b16508c4fb2fdc5e6b

Formbook

e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6

Formbook

+ 2'272 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230308-nhqtwsga34/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

771f33b1529cde22a021cf9a8e54acecf4d63b6d88c39372447d90a943a3f0f1

MD5 hash:

ce2c06258d4322854c6ac7ac3d0ba4bc

SHA1 hash:

378e75600ac72f65f0de2a69df89f54cdc317c69

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/1d6de040-e1b0-43e7-9a47-640546395607/

SH256 hash:

702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d

MD5 hash:

82c9a5f1e5215ce3e1d571a5725c038f

SHA1 hash:

d74cee87fd48e1708bc0f9b69594fb1451cedf9a

Link:

https://www.unpac.me/results/1d6de040-e1b0-43e7-9a47-640546395607/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/702acb0430f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/702acb0430f103fa80b26f74c5a6beb1de35b6d3779ae6568fe17ac76c0b980d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372532/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample