MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6
SHA3-384 hash:	8de0c771c0c42700aeebca5be9bb239556d878b448fa3f2944789aa003e590aa6dca4c43c0ebecd476840a24c6af7093
SHA1 hash:	ffd126fea14ed2f3c729ea224bded923144eb6cc
MD5 hash:	00917f563ae599538cd253d69bafca17
humanhash:	sixteen-four-victor-lamp
File name:	00917f563ae599538cd253d69bafca17.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	251'018 bytes
First seen:	2022-03-23 20:10:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	3072:rS17XJiDxmJJtnsIf8sgOwsNm9n1dIKnPe21UFOv2DRftPs7d41XKATi+gAlt7Y8:rGiy11wZYi27I7+gAl/uv0lN
Threatray	11'658 similar samples on MalwareBazaar
TLSH	T15434220FA4C1C523CF33067538FFBAB5F2FA9BD0836232A953522E6A59965C785741C2
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/256886/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Sending a custom TCP request

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623b7ef8dfdfa8501cd47bd2/reports/5b59c961-e20f-4067-ac6e-f44c536d86a8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc87d42a-21d3-4018-bfdd-6bf16f3f59d5

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963170

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6/

Threat name:

Win32.Trojan.Injexa

Status:

Malicious

First seen:

2022-03-23 13:54:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqhlj5xiu3dxawa7y6atsturvn2bbtwevybonsjztjjl4pyw63ta._file

Verdict:

malicious

Label(s):

formbook

Formbook

2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c

Formbook

4d11816de1a6429b0fa2f9754f7e51e45a6afb350ddd5b806974b629e8fc6fc3

Formbook

52c5a7bea43160bab3e96178238af584fbcf648172ef43517c71e755526756f6

Formbook

5f9025473092996ecde530a0e8858fe256baec511bd44c61d8bba0fa3bd22f85

Formbook

8230050be18082cbd46028e18bd49362c630c8c63dfc8b6875b605f250fadda3

Formbook

aad5152504878bc2505e3274d65c3913c4e4274309e4ec5e03e9c555a1995678

Formbook

ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e

Formbook

+ 11'648 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:s43a rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220323-yya4gsfbbl/

Behaviour

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

4499e8eaf173a5fb120bdb53649fa8166729ecdcb3d965a388bdceb403833d08

MD5 hash:

db721aee1b1877c6e2c8918f9681cb26

SHA1 hash:

f6b319f144c2017eb4ff0dbd2a5d6b2b1a25d520

Link:

https://www.unpac.me/results/8c87bc5b-2306-45ea-8104-38e1794e4d5b/

SH256 hash:

7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6

MD5 hash:

00917f563ae599538cd253d69bafca17

SHA1 hash:

ffd126fea14ed2f3c729ea224bded923144eb6cc

Link:

https://www.unpac.me/results/8c87bc5b-2306-45ea-8104-38e1794e4d5b/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7c0eb4f6e8a6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 7c0eb4f6e8a6c770581fc781394e91ab7410cec4ae02e6c9399a52be3f16f6e6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2112786/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/256886/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample