MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340
SHA3-384 hash:	f3ae817e568e3af9514eaa8771e6ce856a9ed59ae327925c42f759b88d134751795abf5c5ea21d6a140ebe23905e91c9
SHA1 hash:	8dec32121d2f9f876c2b157451968796608d3dd5
MD5 hash:	a8371cb187d99711691ccbecf8f35657
humanhash:	tennis-utah-island-autumn
File name:	form.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	189'952 bytes
First seen:	2023-03-29 13:07:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:K8iy4J+Zvvy4sTEcA5va3XPANN7lFLr8QHVamycbi7GMMAadW4SZo:eon/eP3/AN5fLoQ1amy2WXMrW4+o
TLSH	T1AB049E32C641C070E2A252B5B66D177B843D0D342354A0ABF3E56EE5AEF49E5B12D32F
TrID	30.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win32 Executable (generic) (4505/5/1) 9.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 9.6% (.ICL) Windows Icons Library (generic) (2059/9) 9.5% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

form.exe

Verdict:

No threats detected

Analysis date:

2023-03-29 13:08:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/698227e6-5f4c-4e29-b6ae-f67e9e7b5a88

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/378486/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/642438338e162174987d5f6b/reports/15427acf-d65c-4183-af0f-8e7543a5b5ba/overview

Verdict:

Malicious

Labled as:

Ser.Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7a827843-3d4a-4b22-b001-225d92500bc4

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1204293

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-03-29 13:08:06 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pbcwb44amuej6hdbq2px5pofrmarlvia4uit43aj2g2nrbomwnaa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230329-qc774aaa2x/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340

MD5 hash:

a8371cb187d99711691ccbecf8f35657

SHA1 hash:

8dec32121d2f9f876c2b157451968796608d3dd5

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/b5df7cdb-4eda-4471-a736-c3a79cee6e2d/

Parent samples :

5ad5b73c0bc7325d96a68f35c1a84b692073395b00738c1f31ab5a4f26b131f6
784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340
ea422799d68f64137f7b764aa14fd451c3ec7b1f9b8e7fc2decb42dfcf8d5522

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/784560f38065/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/784560f38065089f1c61869f7ebdc58b0115d500e5113e6c09d1b4d885ccb340

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/378486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample