MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments

SHA256 hash:	7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb
SHA3-384 hash:	903a11432a116ac95bf902f9581ae7b7b3a447ccef66021851dc9dc6c30a6189198ce1922ccf838582889e6301566ccc
SHA1 hash:	acd910d55feb996c295f5435452cf4448e91a7e1
MD5 hash:	50628bdb55275267d1e1db58baac2e55
humanhash:	oranges-single-single-wisconsin
File name:	formajo.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	218'183 bytes
First seen:	2022-11-03 00:00:32 UTC
Last seen:	2022-11-03 02:04:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	3072:qUJoFfWzzl+cSME3/6M4QrF05uU4Zsh3vfoy3WIxbfqaJph3qSxBeJTOMDqiBxLN:qweEpC/6ex05uU/lQy3b+YURQMnN
TLSH	T14A2402A531E450FBC445BAB446BA9373E3B7E9001021769F83F0AFAF3E512DB4619593
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	pr0xylife
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

formajo.exe

Verdict:

Malicious activity

Analysis date:

2022-11-03 00:03:49 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/2faa50f3-beda-4ccb-ac0a-d138e7c35085

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/327443/

Detection(s):

SecuriteInfo.com.Gen.Variant.Lazy.259539.11401.10145.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47640/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/636304bfce1f43143c2a8465/reports/058daa77-24e3-4d72-923a-fc9b9a6a250e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dab1d5c4-5f3c-4500-9f04-5de52d8efda9

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1103856

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-11-02 03:12:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pvm3flkohuz52cizwyt7hkfpwo2qs5sqmzronptffhhzu7ykn75q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ao29 rat spyware stealer trojan

Link:

https://tria.ge/reports/221103-aaw42sfecl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/29eb1d88-d19d-44c3-837d-3266392e688a

Unpacked files

SH256 hash:

50f918f95a0bbe9683fdc7532b2226a72960241d55fdc3994625e6109bc1c38f

MD5 hash:

58ecf75c0fccf54286925106736bc085

SHA1 hash:

01112c3c1a94aa739e15a060d1b239547f90e670

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/c385c381-d174-45f3-b496-bd15172fea89/

Parent samples :

09da53e995501bda431956e08c48092a4a15c3421ec5074f683521e2a570bf61
efd2d52e592f42c9568b93757f2e0cd38d4fd263ac36eb31910abfd7053007e2
7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb

SH256 hash:

5369f01308fc6b211778400efe14a31ec1a69360b8ed2fef6725e51485cff7ae

MD5 hash:

a75d2fb28a9ced6273ac7724d5794c1e

SHA1 hash:

8b4d9b47fce554970c1a2ba63ccc46969ece977e

Link:

https://www.unpac.me/results/c385c381-d174-45f3-b496-bd15172fea89/

SH256 hash:

779baaee891cd8e08a9c1a0b5afebd528b90029e46676dd89419ef6a0ca02c8f

MD5 hash:

fefd64b5de850e038298261521c9179f

SHA1 hash:

d595a0e0d443c200772b360f7c26972bf5424b88

Link:

https://www.unpac.me/results/c385c381-d174-45f3-b496-bd15172fea89/

SH256 hash:

7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb

MD5 hash:

50628bdb55275267d1e1db58baac2e55

SHA1 hash:

acd910d55feb996c295f5435452cf4448e91a7e1

Link:

https://www.unpac.me/results/c385c381-d174-45f3-b496-bd15172fea89/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d59b2ad4e3d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/7d59b2ad4e3d33dd0919b627f3a8afb3b50976506662e6be6529cf9a7f0a6ffb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/327443/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample