MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513
SHA3-384 hash:	984bd2517a88c2b0e24203c074e6c7c2f675bdcdc6afb7c26836b46bc27deefda60ab4d20da107aeeaf5a52dcbf1b801
SHA1 hash:	b4360cbb741defd8e5653f01b5e7c3ada108f951
MD5 hash:	ab8fe40140e7be3e592dc31d34a516ed
humanhash:	failed-purple-spaghetti-arkansas
File name:	ab8fe40140e7be3e592dc31d34a516ed
Download:	download sample
Signature	Formbook Create hunting rule
File size:	379'393 bytes
First seen:	2023-07-07 09:38:08 UTC
Last seen:	2023-07-07 10:38:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	6144:gYa6vzTaln6ekv+NfCQSNaMt6fe79xekn7Bb2ifHjFCisv81SYR6Lt:gYxzTInJkvuSNaMqo9xtBbRrFChCSxB
Threatray	3'475 similar samples on MalwareBazaar
TLSH	T19984125132D4C8ABD4A692700CB8D6BE69E5BE02EC59461337D07F5F79326C1EA0EB43
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0aaaa2b0303aad0 (34 x Formbook, 21 x AveMariaRAT, 18 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ab8fe40140e7be3e592dc31d34a516ed

Verdict:

Suspicious activity

Analysis date:

2023-07-07 09:41:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/41e6f27e-c00a-41a8-b9e1-b569bb79deb0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/410445/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/96249/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64a7dd36784d6094d91a2025/reports/36e9cc97-cb98-41c4-858c-30f43b182397/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8244b05e-553e-469e-bd3a-fe7289580e36

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-07-07 04:04:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ognqggtowt5zgl2n3rkbxtirtgk6u4tt656jxptggjzuahivoujq._file

Verdict:

malicious

Label(s):

formbook

Formbook

2a8783a8fa5d2994fdce8d2bce2aeb59434d13534e9f13ccae8de38f72f0798f

Formbook

31d4fa7c04a77660000eeecf8f66e38d6108f460ea7b539744d7bf9216266a50

Formbook

3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

Formbook

539d920211675f7cc535698b9223aae7d732e46d747bae86c00234e8b6dcb3ff

Formbook

7ac2e4aad0054c77e7a2205d156da7032021be264702c8fa76eab7ebc44556ff

Formbook

be0791f3e56382436345ae0413249be5e66c0a593afc1c83ab57d8bbae61d4ba

Formbook

c299e76637951c9dbe6d4e5eed327228c70a186c9c37958b3bb756add59419f9

Formbook

d2f81e234482c1627b7e92601ef74dbc7f3726c64d963dc4655cf90ee54d63ed

Formbook

+ 3'465 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:k2l0 rat spyware stealer trojan

Link:

https://tria.ge/reports/230707-lml1dsgb87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513

MD5 hash:

ab8fe40140e7be3e592dc31d34a516ed

SHA1 hash:

b4360cbb741defd8e5653f01b5e7c3ada108f951

Link:

https://www.unpac.me/results/8cfe4ffe-b3e4-4024-afe9-4362fcca1c7c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/719b031a6eb4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/719b031a6eb4fb932f4ddc541bcd119995ea7273f77c9bbe663273401d157513

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.