MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94
SHA3-384 hash:	c0924f54c55a2de3d96fc2dfb68cac09d05e99f19413f316cea6ba5c332bbf6801570d5b34762dd432459bbb7d8d1572
SHA1 hash:	ffa987faeda3e9d6a912b63dbd8fb7adf105fa8f
MD5 hash:	d8896273f6e3976c0051d2985fca39d3
humanhash:	crazy-carbon-seventeen-red
File name:	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'100'800 bytes
First seen:	2022-12-01 08:28:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:TrqkTiwAAgEEY4BjH04VwMQJXP7XLBRFPG1e/1:HTQpfVwMMP7XL7Fu1eN
TLSH	T10D356A6287F1C8C6F92288BDAEDC7A55196819C148A84C49CC133D901E79C6BF1FD9FE
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	62ceaeacb696968a (1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001

Verdict:

Suspicious activity

Analysis date:

2022-12-01 08:31:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b87a3da4-3a72-4503-a50f-3fd7b8b51f36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/341026/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638865d1ec3dbefe4912337e/reports/81485061-3355-4322-ac60-c63c8177fce1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3760a95-a2dc-498c-9ade-1777b4f9f568

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1125103

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-12-01 08:29:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

10 of 41 (24.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o47ccoaopmucaldmcqwukyv47vzt3zdp7i7ghijvdxjimdaglkka._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:fh8p rat spyware stealer trojan

Link:

https://tria.ge/reports/221201-kdlgtsed5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/734bc61f-f352-42c3-8fc5-6ef99ca0054a

Unpacked files

SH256 hash:

97c55acc7ec88b2dd218f6c90c1a5b03e27a8b0146291f4f543db99fa4b2037a

MD5 hash:

0610697f1ffdd5d9d5a0213eca711f74

SHA1 hash:

258a8f4cc8d46ebdde5f5b3906d88002509b2e9b

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

Parent samples :

9994b20e500ad5c9973f3627d3b9225b7b7b6f9ef2c5dd37b93d71a8e479007c
a242f1f9b948c1b173fd030a333e2492802d90a9a117f49928c218fcc8eca71b
33731252feaeeb328bcd5a7ab4ac6e08f2712313830fd612c8840d8e1424665a
c14e90c00e4990b3c80a1ed015ad0bf6fdd7fb1d083b7b4d756b5cb74f6c7cd8
773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94

SH256 hash:

f9898338c07100bbcd335fb8b4ab1d0b90e6aef5851b02ed2ba36fafba26d38e

MD5 hash:

685339793c751f3b1a9029c8a5cb23d5

SHA1 hash:

e91a20e243b3baff2c1232d0ee0cfbc4f9d46e5e

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

SH256 hash:

0e8afdf5fb2bd2b03491ea4ac305e012385b055c7ac52927bc9edc070074c1e8

MD5 hash:

6a6ecb945c957397f83ecce40549e6b7

SHA1 hash:

302e7b1f250ded8c36c7c7388be5ea63cbb8d211

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

SH256 hash:

340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3

MD5 hash:

85f9290aa8900e9fd74b01ee23125706

SHA1 hash:

310eb5e4aea5471b74a6385f1da283b9d8e3d698

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

SH256 hash:

dfd41e0eabbdda3d44c853bb004d76d9e183b54102f769df33a239838ab2961d

MD5 hash:

ea2e7f339c6ed11bfe947e25bca41ca3

SHA1 hash:

10238859d2d98e67b53d312750a2c573c2731304

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

SH256 hash:

773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94

MD5 hash:

d8896273f6e3976c0051d2985fca39d3

SHA1 hash:

ffa987faeda3e9d6a912b63dbd8fb7adf105fa8f

Link:

https://www.unpac.me/results/d9acfd46-502f-4821-9c1e-6b474db60804/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AlternativesExample1 Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/341026/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample