MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25
SHA3-384 hash: 815c3bf9d9caf47f0542b1e47ac16e84d395ea5bd256331a025776cb7df046be4b308e6dddd8015a4220557131d2e3f4
SHA1 hash: 9befc1993fd145bb23b0760523cf13cbaf37bf68
MD5 hash: 201a474362903c02f0bea25c9e2dac05
humanhash: xray-crazy-timing-golf
File name:201a474362903c02f0bea25c9e2dac05.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:245'181 bytes
First seen:2022-04-04 18:23:07 UTC
Last seen:2022-04-08 17:04:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmlxWwzoCNb01xnARYNQBS73Q6lB7tp08/d1:HNlzhRNb0zARYyebpf1
Threatray 11'907 similar samples on MalwareBazaar
TLSH T1A6341224ABB9E4F6F4BA4B32897D68624FFEF52606600B5707105E5878337C15B2F352
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260717/
Detection(s):
SecuriteInfo.com.Gen.Variant.Zusy.419810.16820.16615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12587/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624b37d0db9ca5cf841daa3a/reports/2d00d3ed-b66f-4894-b21d-cebdf0319688/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06068123-7955-4d8e-a70d-7ff5e094e715
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970351
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602838 Sample: CQjRNWh3jL.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 11 CQjRNWh3jL.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\iiwwwfp.exe, PE32 11->31 dropped 14 iiwwwfp.exe 11->14         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 14->55 57 Tries to detect virtualization through RDTSC time measurements 14->57 17 iiwwwfp.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Sample uses process hollowing technique 17->37 39 Queues an APC in another process (thread injection) 17->39 20 explorer.exe 17->20 injected process9 process10 22 wscript.exe 20->22         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        27 explorer.exe 115 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 09:08:20 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyzx2fmvuryjpj5hfhivrdsjjj3y7mcnjdqc2yhujhpxvehtbmsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c6a3fdbe07eca91bb067a9ba1c90bd87df0d94a0f8c9d870c792baa4a040c45
Formbook
51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc
Formbook
7074a1c66e9cb6a328332b150d8011ee1f1c3a03318e960fcca03fce5bafa64c
Formbook
8c8afc7e873c1fc04cfc9cc2331ed6f46dad4defd1158e39f10258ee4b477758
Formbook
aaa025e66e7edbf2120c46ca3f09420caf7a71ff6c52cd64ff69198b339778ed
Formbook
d675408e7dcc87922c9d654a5c4f387f70d4a06ad99bad187753d90ee6381a87
Formbook
+ 11'897 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sf31 rat spyware stealer trojan
Link:
https://tria.ge/reports/220404-w11e2safd7/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
70a06bcb58368e722ea5821170ae0d745ee7235aeb8c91e96b7ea2a00eabc210
MD5 hash:
fd6cb10d1c8d6ae2c9818ae87dfc6e1c
SHA1 hash:
85ad8ce278ac51ec904e2370e7a6c4180514fe04
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf0253a9-fc3c-4c62-abfa-ead98c3e497e/
Parent samples :
76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25
8c6e630e2b923d9961d01d662f8ea7455f29549515ef1fee8b99b0aa1da43858
835a8ca638d5d8775e0a38e1486d24f887306b94894edbd501cc5de9527d1cd8
7bafdf9104df0d8445c2478014a23e68200d48c2c438b4ad1820f8995936d129
64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070
f1c65a4c95ac59ee5774fd858b8e4cb9cdd3d1374894c33eabeef692f76f889e
SH256 hash:
ed384c969d668ac902352a2699da96dff055fbfedd316878a1eda9939b54a629
MD5 hash:
e23815e8f201b028a83798a80212a4e4
SHA1 hash:
176a20e8ee019cc1d4a15be8645ab008d503f2d4
Link:
https://www.unpac.me/results/bf0253a9-fc3c-4c62-abfa-ead98c3e497e/
SH256 hash:
fd291e6f2bb68264d7a83957fc9ca9440643f2d99c2ba1113c6ccd38bef5122f
MD5 hash:
1a4e5fe1ab6a2e667fefd9305fdb1da7
SHA1 hash:
5b9b5187fe063d45f2cf45e81e9527130767530a
Link:
https://www.unpac.me/results/bf0253a9-fc3c-4c62-abfa-ead98c3e497e/
SH256 hash:
76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25
MD5 hash:
201a474362903c02f0bea25c9e2dac05
SHA1 hash:
9befc1993fd145bb23b0760523cf13cbaf37bf68
Link:
https://www.unpac.me/results/bf0253a9-fc3c-4c62-abfa-ead98c3e497e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76337d1595a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2115093/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260717/
  
URLhaus
https://urlhaus.abuse.ch/url/2133006/

Comments