MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b
SHA3-384 hash:	20cbf2589738c48a4b33e5a8a5f8cdaa3e570a10d83a218a3bfad53ee5acb31ed1e4992b34645b76ddda7f3a5c1d98aa
SHA1 hash:	4374948e203cba151ebdc43e11e6e115046270e9
MD5 hash:	25aa37e21c29b7cff02509533b585ed7
humanhash:	pizza-kilo-cola-bravo
File name:	25aa37e21c29b7cff02509533b585ed7.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	307'200 bytes
First seen:	2021-10-13 09:43:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c727a98e677fb7bd25bb06d2a2d956f1 (11 x GuLoader, 1 x Formbook)
ssdeep	6144:w7XxnWJoyJuoMQF9CxX/tO7JS4PIcJaL:w7BnkRMQHg/tGTPBU
Threatray	7'827 similar samples on MalwareBazaar
TLSH	T17F642821A2B0CFE0E1A386BF33E94725713A6E3416116C96F74D7D5E5EB22E0A46131F
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

090900 Quotation - Urgent.xlsx

Verdict:

Malicious activity

Analysis date:

2021-10-13 08:52:54 UTC

Tags:

encrypted exploit CVE-2017-11882 opendir loader

Link:

https://app.any.run/tasks/e6efbcda-f7da-4ec1-abc9-176f13d9871c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/197167/

Detection(s):

Win.Malware.Formbook-9802749-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/6166aa66fd35fe780c3ce32b/reports/521b556c-9635-42ac-9558-c19f7582c3bd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/45ab7f2a-80d3-4b2b-8155-f6acb79fa40f

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

rans.troj.evad.spre

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/869485

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Potential malicious icon found

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-13 09:49:07 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oqfcxr7jzdxo25xpb6asy3ejv424ifbrpv3kyw2qwkgka4unca5q._file

Verdict:

malicious

Label(s):

formbook

cloudeye

Formbook

2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61

Formbook

31126bb88883cdb4de8893da0c275cb8e1bc3889258cc7710617b5c65cd6f476

Formbook

3c299b147655000b066676d4e3957f5583819bdda36c7d7710151932a337d2ba

Formbook

ab4676fc90e455da2127126bfbd1fd167328c79eda83f686ef71dd89266825f5

Formbook

bb55c88ca46b3d34d58e0fd9eacedc2a4b753f2d6e7d9d1627ba2fd914deac71

Formbook

e3688d8caa70a496aa55ed70190c2d7fd53487b21f286d14ea6849d78cd375a8

Formbook

e51c60f40080414b74c2eeef62780b28aa31c7875dada6dc2097323a61cc8396

Formbook

+ 7'817 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:guloader family:xloader downloader rat

Link:

https://tria.ge/reports/211013-lqhr5sdhf3/

Behaviour

Suspicious use of SetWindowsHookEx

Guloader,Cloudeye

Unpacked files

SH256 hash:

740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b

MD5 hash:

25aa37e21c29b7cff02509533b585ed7

SHA1 hash:

4374948e203cba151ebdc43e11e6e115046270e9

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/a47c8014-fb68-4ebb-a6ab-51fada7ce03b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1673393/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/197167/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample