MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa
SHA3-384 hash: da324208aa1db8e975aae52fe3bc3cb4b50ef3831374c455c13427f277171fd3e496ae7971c2e2febc4146093d0141b3
SHA1 hash: 9680c44f0b163536767a45949e8e6e271a8f1558
MD5 hash: 4a5cb42c4dddfa574bf6782c609bf5bf
humanhash: paris-saturn-fix-speaker
File name:RFQ -ANOPC project2023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:389'219 bytes
First seen:2023-10-02 05:04:25 UTC
Last seen:2023-10-02 08:48:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:BnPdudwDsPPj6Z3M8Tv4eAGyYsfxFAATHrj7amr3h4fKq05/SHgrN7liblNbYkyv:BnPdw3AR8ayY8zAMHvvx4fm5/SHglwNY
Threatray 62 similar samples on MalwareBazaar
TLSH T10884234227A0C4E7E533C631EE716EA33A92EE0461C4893F4B409DAC7EB60D5ED1BB51
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452565/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.8902.26768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/651a4f801edabd9982a2e0aa/reports/ff6bdc6e-5509-4169-8892-238d244e667f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0c9ee411-4726-4ae3-9740-a1a2cbe06a95
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317712
Signature
Antivirus / Scanner detection for submitted sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa/
Threat name:
Win32.Ransomware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-01 22:31:26 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oz76rzcle5ijlrfolucag2olkio23sfjwtcc7rqalr4rayi4mp5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
Formbook
1f9a84f1b9a2d6e91efcf84470f260e867ac8c2a6c42109ceae024d9f370cd8f
Formbook
50f83575bd53ca54e6cccc82a0c6e2cf51947f2af2284701916e87500271e0e1
Formbook
58357272406c20e677f34777d792bdecc67f8502616621858a609d9cd8e3bd7e
Formbook
5951cef80086bfb2ce1cbb16802612e3366525aa94f5ebccf352c3761bcf15d9
Formbook
b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97
Formbook
b7c2c67469229933e03fe2186b865bc18c315e498b369d74c000c64255cd495e
Formbook
f23c197a08df004d0646c8588e588d3ae064368a208f4679718c0c8995161362
Formbook
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231002-fqt8aaha73/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
defbe5b1c6cae87d6178978ed52acf902fb7e0e0f4424ef55b035986ec438b7c
MD5 hash:
d47037ac642db626da896f9f11a077e4
SHA1 hash:
fa8c91ec96a5a39bc6d8262a3e2e38d4d81ed7df
Link:
https://www.unpac.me/results/2ced19dc-5e05-4d5c-aa4c-e5f8b8b3d3c4/
SH256 hash:
767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa
MD5 hash:
4a5cb42c4dddfa574bf6782c609bf5bf
SHA1 hash:
9680c44f0b163536767a45949e8e6e271a8f1558
Link:
https://www.unpac.me/results/2ced19dc-5e05-4d5c-aa4c-e5f8b8b3d3c4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/767fe8e44b27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 767fe8e44b275095c4ae5d040369cb521dadc8a9b4c42fc6005c7910611c63fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/452565/

Comments