MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
SHA3-384 hash:	76b2a48ac5fdb81da0f0b7819af752122977276d27f54efc0e109e622d9a6d91a6341d58e35390c219edc2267c06541f
SHA1 hash:	40d1c3a700f141f95948b58658bf17a019f90004
MD5 hash:	3f5c1cb6d351c93568a245fba6360d7e
humanhash:	tennis-mirror-may-summer
File name:	SecuriteInfo.com.Win32.PWSX-gen.31302.3536
Download:	download sample
Signature	Formbook Create hunting rule
File size:	641'536 bytes
First seen:	2023-10-30 11:03:29 UTC
Last seen:	2023-10-30 13:30:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:y8r69yqLAZ74kKhdxYdJne/bcpRJgol7euj3g09AkB3no+PXMNElEMhgO:b6XkZ79KxYdNpRJgoAIQ09AklZPX8EKq
Threatray	12 similar samples on MalwareBazaar
TLSH	T10AD41245BAFC4F16C6B9CBF486939100537B627A56E2D31E1ED823CD0693F4DA2B1683
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c4c6a2202e223684 (12 x AgentTesla, 8 x Formbook, 2 x Loki)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457079/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.31302.3536.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/653f8da334de31f579cddead/reports/9056efeb-20b8-4680-a005-47a11432ccc8/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/92a6a270-7fbd-4ac1-aaea-4e65bee451f2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1334181

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-30 11:04:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=puospgmfayeitqbbhsxev2nu5d7mvpd4ainqo3lagt62viozaoxa._file

Verdict:

malicious

Label(s):

formbook

Formbook

073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42

Formbook

18542fabceb4ca929c3b47126e86b571c26a4c67b7ef3fea148b3bbd3e5888a8

Formbook

3f98f70b03b079fcf00f40d8819a849513f391eca65c7a3424687138924c60a9

Formbook

82f05aec2ded89e7956c4c559b3db88bd9cc4b90a0ab9fda2200493e56df09d9

Formbook

8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

Formbook

b253502d8bce85fda32fc5264bb7736c3280149b529fffc2e77f2c66257b0696

Formbook

e5d7a9b5347d9c624a68faad5129bbf34be4de53e91375cb4f74b97bc2175257

Formbook

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231030-m59d3sec52/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

040ebacdf0891552a5a175b21e5bd647ee9db167565e025a18bba0d5cbc892b5

MD5 hash:

de9e427377706d0135c4320ade02240a

SHA1 hash:

f9d15efffc83e78c6ce05e6120ef1aa5bb873859

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

Parent samples :

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae
fcdc9c84c2d743794b07d4cff425214fa4466f3698e88d36cd6956531303ab1f
c213ee22a5995544b5e65e22ee4fc7084d165f5c0d1037d773dd4e44ccffc686
866793fb3e5da0b352d26f37db6deaa73b598019a29c0434da5a805c12fda095
2772267437ac2a4a39e1c4893788b420e3eafd75c0517c3d8bb58516c8e2b196

SH256 hash:

0ba1122a32e87e976c3c1076bc93d38b8da59635dd7541bbbe393cd6b76170ee

MD5 hash:

114a8ee279e136584a12827ac26ede30

SHA1 hash:

72a7bed5b5e5c5a69a5570772d22418bbe55e9f9

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

SH256 hash:

4cdae0f178cfe2c48ae1023b3b550a370d1bf3b7970cca58928b675ec5785a8f

MD5 hash:

110ed58f1e070af6eb437620f0d5623a

SHA1 hash:

cfcddc8d4aa7ba79b4ff9f53796c479963c05c59

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

SH256 hash:

ba05154fcdf5647edce7ad83c696b919784b6302473bd457486cc21504b8f729

MD5 hash:

80148d85ca239bf6c340c9b2567321f5

SHA1 hash:

1a113fe9486d7bc1844c91ed23176c722876ca2e

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

SH256 hash:

7d1d279985060889c0213cae4ae9b4e8fecabc7c021b076d6034fdaaa1d903ae

MD5 hash:

3f5c1cb6d351c93568a245fba6360d7e

SHA1 hash:

40d1c3a700f141f95948b58658bf17a019f90004

Link:

https://www.unpac.me/results/0c12217b-e056-41f7-911a-0a6fc8e308c6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d1d27998506/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/457079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample