MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
SHA3-384 hash: d14e625c334fa7b4ffd3ff3bfe93a1050d7a52b87d07451c79c6f59b88bc852461180126d2d110f0f712256868d9c4df
SHA1 hash: 76a91ee65551d7babf8799bbecd9e78c44f47787
MD5 hash: 607868824f841ff4b6e24e997228d10d
humanhash: uranus-stairway-blue-butter
File name:607868824f841ff4b6e24e997228d10d
Download: download sample
Signature Formbook
Create hunting rule
File size:628'736 bytes
First seen:2024-06-25 13:05:22 UTC
Last seen:2024-06-25 15:22:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:LajzneBoLmk8bLq4xKNhZAb2drAJuU6ljqdLGtierEWhuV:2jznfL/qLxK7ZAbWAJJ6lGdLGtierEJV
Threatray 3'209 similar samples on MalwareBazaar
TLSH T173D4CF493B2015B5DD3986F2A8D706393F70666231E1C8216DDF0EEDAADAF8406CB15F
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
336
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
Verdict:
No threats detected
Analysis date:
2024-06-25 13:08:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a005ac0-dc62-4449-ab9d-6bbd6becbaf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.16735.14421.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667ac0f70685885c286ad496win7simulatehigh_evasion
Tags:
Generic Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/667ac0c56b8dba248b45535a/reports/f0693ae3-c35e-4f24-b52f-023ac56eb722/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce1ed3b8-8999-4c76-b722-8caca904c9fc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1462401
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-06-25 09:38:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oojlnjyqlaygbv7vxwfdu5lt7ihspcsuh6lbav76ybceluax3y5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2
Formbook
13bc94a2f39a03f509036ff58462b974c401cac0df52cce22223114f909b2f72
Formbook
3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0
Formbook
4a5be9ff6a2401e1d1d08a56acf3664ccddbae314a1d26e6debc90adb401d414
Formbook
571114066b38641901a6a70cf10fc8c0d64167b09c220c19acad7d15505455c0
Formbook
7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
ebdc855d3a59911b5096ed167a66a6f9361c0a367bc9c7664693ef11582d1b1f
Formbook
+ 3'199 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:btrd rat spyware stealer trojan
Link:
https://tria.ge/reports/240625-qb3k8avbkq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c932dfb-fdc7-4550-ac62-e962b9c64316
Unpacked files
SH256 hash:
6df4974f7421b18607d34f0b45bcd66f7eba2dcea9bfb06322b858da72375afc
MD5 hash:
539b528455f15e6fcc60fa2644b801db
SHA1 hash:
1f919b03082484d82cb061f730b8236dce855fa6
Detections:
FormBook
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_w0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/ba412b32-62d0-4493-affc-b3bc04da0da6/
Parent samples :
7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
d8e6a83561b9d8dbe84de21795763589d2626904ac6406ddfe2dc2342c4edb8e
676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff
9a9381dbc7eea48c1a098e0b4d8432dc615b4f41ed697369f22833d8ceef9e9c
98a4d518bdfffcac61e710765afc3176042ddc22d345b2bb4fac48cc2056bcaa
3deaaeecdbfc007dcbbdd5328a1c06477a778d6d87acc7f78ddd234fcce0757b
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/ba412b32-62d0-4493-affc-b3bc04da0da6/
SH256 hash:
b5666eb286ea8a47781d7eb0153cfd85d4e1c817a01e95346ce0c646a243b595
MD5 hash:
5d3aeff155e32b51e11a416a301b1014
SHA1 hash:
76bffb499ff713fc0830dfea08460b57b5124841
Detections:
MALWARE_Win_DLInjector02
Create hunting rule
Link:
https://www.unpac.me/results/ba412b32-62d0-4493-affc-b3bc04da0da6/
SH256 hash:
7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
MD5 hash:
607868824f841ff4b6e24e997228d10d
SHA1 hash:
76a91ee65551d7babf8799bbecd9e78c44f47787
Link:
https://www.unpac.me/results/ba412b32-62d0-4493-affc-b3bc04da0da6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7392b6a71058/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2905754/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-06-25 13:05:23 UTC

url : hxxps://universalmovies.top/nelb.scr