MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9
SHA3-384 hash:	28e1b1458ca5e31ada840c6204779352ff2b1879ed82f8e32481fb69f4d37438e5d1e3f9c3a2d47794cb6d337f357e51
SHA1 hash:	cd4af01ead10ca106c2c37e8155c9a4d5e2cf98c
MD5 hash:	40a3b67a99299a4f0f3a352b4f7739c9
humanhash:	fish-berlin-beer-seventeen
File name:	SecuriteInfo.com.Win32.MiscX-gen.4126.7297
Download:	download sample
Signature	Formbook Create hunting rule
File size:	289'280 bytes
First seen:	2025-02-11 09:52:48 UTC
Last seen:	2025-02-14 10:59:34 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:jh1qx/eWzTVfGA76zxOJwldxd6DVMZ1X3sMFgNQRQIeSTFzTwis:l1O/eWfQRxdUIgNQuIXPls
TLSH	T1355423278013463AEFE877BE39B6D405C865C777609692DFF6ECA3058C485130AEA31B
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	196-251-92-64 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

433

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MiscX-gen.4126.7297

Verdict:

No threats detected

Analysis date:

2025-02-11 10:05:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/710c25a1-dfe2-47f1-b8e1-109854257302

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MiscX-gen.4126.7297.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67ab1e5249f32dfb0d82f45a

Tags:

injection virus zpack

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypt microsoft_visual_cc obfuscated overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67ab4e63abc8fdf162c41c76/reports/3a633910-5931-4f6f-b4c7-d2a1d1ae3175/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34768d1f-73b5-4eb7-895d-ed78e5d28497

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1611953

Signature

Antivirus / Scanner detection for submitted sample

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-02-11 09:53:26 UTC

File Type:

PE (Exe)

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qcnxx2ly52antmkrnhe4yvnfncy2geehtjhaeqdj6hrtqrykateq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250211-lwsvastjbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Downloads MZ/PE file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6192baf-b4c4-46a5-8cd0-5ef2394be693

Unpacked files

SH256 hash:

809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9

MD5 hash:

40a3b67a99299a4f0f3a352b4f7739c9

SHA1 hash:

cd4af01ead10ca106c2c37e8155c9a4d5e2cf98c

Link:

https://www.unpac.me/results/bbe0819f-2af3-4db1-a0fe-07084a66d872/

SH256 hash:

bc312ebbc82840e9d33f776f57af1766549e7abb3ace3dedb8a5f7065b617ed7

MD5 hash:

740fd1e83726d5491c6e1bd3f2663335

SHA1 hash:

3b9ee1e33a9b3c8b8446090159dbdf20656f7873

Link:

https://www.unpac.me/results/bbe0819f-2af3-4db1-a0fe-07084a66d872/

SH256 hash:

457646f5c291095454eae4cbb4d61db2379eba9f6339cd601d6a5461da8eb38a

MD5 hash:

e6f6687352c88bb58f173f8bb0fc1125

SHA1 hash:

4509779eb1f283c8674059da53a7f4ade005c1a0

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/bbe0819f-2af3-4db1-a0fe-07084a66d872/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3435956/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample