MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
SHA3-384 hash:	8c411d58561f0353e5c115d59084446b101e8b2772a530648ddc6d2a2764cf68cdbf90e1a39c25d9227afc5c0a77fbd6
SHA1 hash:	4eb9097f4f62103ddd3106bff5eb71de9f8e243e
MD5 hash:	7d95ad4efc26e41525aaeb3afc83b649
humanhash:	texas-india-ohio-snake
File name:	71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
Download:	download sample
Signature	Formbook Create hunting rule
File size:	270'336 bytes
First seen:	2024-04-03 12:56:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:w2PS9CD7BXz9TYWCl70wQd/Kr4jrBX+e:w6S0D7kWClAjKk/1
TLSH	T1DD4412D80AD29815D53AD8BC71D51F4A1FDFFBC41804A340360A86A76CBC2EDAF284E7
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0.exe

Verdict:

Malicious activity

Analysis date:

2024-04-03 13:22:49 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/e84dd341-3bac-4988-806c-b9a099b13fdf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/660d5228391c61c479147bd4/reports/d3b8d7ca-4b31-4322-a40e-939b5883f94c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fb3e7d1f-608d-4ecf-af83-64b72500c4bd

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1419386

Signature

Antivirus / Scanner detection for submitted sample

Deletes itself after installation

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2024-04-03 12:57:10 UTC

File Type:

PE (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ogqnxf4gpfc7u2jfbksv4pmzpkxrd5peahny4woipz4tpy3dipya._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240403-p6x4jsdg64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

00a4a5384f76a8285967d604cc7a5f8b7f6edd92ecc2a42fa1d66d9eecf5676b

MD5 hash:

62c7e75fad91d868c52df2ef2ac57f58

SHA1 hash:

5c9442f14b56e35af2788d66d21ad42161897728

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

9bd732b738bf593603865d5ff698c712eabe7378e511e28d281e52f39bb5b7d3

MD5 hash:

abec65d74163f8ad9613100045d161a1

SHA1 hash:

b3fce445ae7a1b667300f7df37dfea1502cce2b7

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

7697d10fefa2610e6a1707ab12172f95020d3105fc7c46191d542c8a6d492fcc

MD5 hash:

a340684faf61cc0903e1858ecbc6f019

SHA1 hash:

8fb045204cb27dc58cd5e996fe7a5444ebda1adc

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

ff672e331328bff1189a60f13facfe547ea2adfa5668c50b711ac1afa3660083

MD5 hash:

07ab70554d10d36396e2a42c35d25393

SHA1 hash:

4cae74cacc9e62e9566ddef20156c9bc55dcc6c8

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

8275deb7b1bb822484ad81edf745916cca428c46ea3cd34cc79c3dd2d234687a

MD5 hash:

281eed4db1e7905193340180567f5591

SHA1 hash:

243265cc345bd2be287f29eaff10f9c74dec2234

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

87f1db53b53d8b36d6874194031f0d74fc0eea106731282d5f85ce3d8068b991

MD5 hash:

18573bb9d53ab55f6a52602b623c1971

SHA1 hash:

2083fd4b4e0a5420215a7a0b6d16ea53706047c6

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

6bcdeae38b0cbf45409293b9d8fba74d57d7c6ad48d70e9de60630491acda634

MD5 hash:

af93c7bf04cf09f41d68751489ea2ba0

SHA1 hash:

1586112b25865c7493b5035ccba64bec860a472c

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

SH256 hash:

71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0

MD5 hash:

7d95ad4efc26e41525aaeb3afc83b649

SHA1 hash:

4eb9097f4f62103ddd3106bff5eb71de9f8e243e

Link:

https://www.unpac.me/results/cf3b347c-1023-4107-bbef-6fb6eead5c69/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/71a0db978679/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample