MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3
SHA3-384 hash: 6684c3ee02b02a8ea1ad1679c9fc6c005db6e6c0f290c37959691e78510df8626cee331a3f116c554d32d0737d7afc5b
SHA1 hash: 2015c78cdcc01764d2e436c012598fb87cfbe2f0
MD5 hash: f46119800d530db454ce9d90e12d2d67
humanhash: jig-juliet-minnesota-river
File name:f46119800d530db454ce9d90e12d2d67
Download: download sample
Signature Formbook
Create hunting rule
File size:274'214 bytes
First seen:2023-08-09 17:53:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6a+ZJ+EylwsHBTZ84rH69vRYfVC9dDpzALHmGp:/Yk+ZVy6kC4zpUrALG+
Threatray 3'538 similar samples on MalwareBazaar
TLSH T1E1441211A4F4C477D87107325A362B126FFBE92914A9935F0F302B5C7D27BA19A0DFA1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f46119800d530db454ce9d90e12d2d67
Verdict:
Suspicious activity
Analysis date:
2023-08-09 17:55:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1166a39d-0517-4afc-b942-5e53c4c7d3af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441772/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.20624.20381.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102337/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe3733e7-6094-4536-a980-4fd8ce46bce6
Result
Threat name:
NSISDropper, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1288868
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2023-08-09 17:54:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvlrerp6ux7lfbmr5ttwwqgwr3s3ujs3qpiy25rkghed7u7sw7bq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
010058f0f4fdc7a44781d9704645f7dac272505984f7eed264675121992c1b77
Formbook
0c2e6d5acb82c3c9a5d9aebd50ea3982f10dd70eb516e639b4f8c12d6453c5c8
Formbook
7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a
Formbook
8d9ed6e86b3dd8272711c008c10d4b62f094bf98b84b87b2d18e0c5960d03a74
Formbook
b32ed7458086ae3a05007a54d6660b9ce6382bd82af78c2c56f856ea6f2d95a3
Formbook
b819e0dd1a5dc229d16fa74251262ce7fdd7581a71f66c9dec61149a7c4c7a76
Formbook
be0791f3e56382436345ae0413249be5e66c0a593afc1c83ab57d8bbae61d4ba
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
+ 3'528 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230809-wgvqfsfg9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
b34ef16461be2e9d44e9f77a63c6d46b90dc091ee78ff28af045f1d3ec8fa1b4
MD5 hash:
a045c9df7ea13482def712a8d0ed1ee7
SHA1 hash:
3cf372ad7b704e888a74c572d173d876bce6c87b
Link:
https://www.unpac.me/results/0b430c42-7306-44d6-be9a-5f33abfd761e/
SH256 hash:
7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3
MD5 hash:
f46119800d530db454ce9d90e12d2d67
SHA1 hash:
2015c78cdcc01764d2e436c012598fb87cfbe2f0
Link:
https://www.unpac.me/results/0b430c42-7306-44d6-be9a-5f33abfd761e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 7d571245fea5feb28591ece76b40d68ee5ba265b83d18d762a31c83fd3f2b7c3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2703360/
Cape
Cape
https://www.capesandbox.com/analysis/441772/

Comments


Avatar
zbet commented on 2023-08-09 17:53:07 UTC

url : hxxp://192.3.193.171/400/WmiPrvSE.exe