MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55
SHA3-384 hash:	5324c229d3058aec95aee94be85a5cdb7a228e37dbba6215be3eb11eb515414cfe477020bf223a2b1f0c539e6ec486d1
SHA1 hash:	2ed5dd6107be77a09812f45993604ed496417d0b
MD5 hash:	9809924a1fb0082898813c23dbc84b24
humanhash:	crazy-snake-stream-bulldog
File name:	9809924a1fb0082898813c23dbc84b24.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	190'464 bytes
First seen:	2023-09-21 06:15:47 UTC
Last seen:	2023-10-10 14:07:04 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:OPUq+jL3rWh716RfGYSeK95YWX2PaAlN4eT0FNaP0hBUxY3rC8XG4t7hXs+cCk3X:4K/3rUJYSx95YBfSrF8OaiusG6hXs/H
Threatray	518 similar samples on MalwareBazaar
TLSH	T1141412D3E2992A4AF2882134F02490D55DE728F6B4B17246CDE45852ED33CE7D87D8FA
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.DropperX-gen.16843.25908

Verdict:

Malicious activity

Analysis date:

2023-09-20 10:34:57 UTC

Tags:

opendir loader

Link:

https://app.any.run/tasks/b193c5ed-2c3f-4ed7-a7da-4ade7970a730

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450258/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook overlay packed razy

Link:

https://www.filescan.io/uploads/650bdfa20870810f01836ba7/reports/15a7e044-c222-46a3-ad4f-a41bd5083b46/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca81eccc-e274-4517-abca-15053f16696d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1312044

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netstat to query active network connections and open ports

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-09-17 20:37:22 UTC

File Type:

PE (Exe)

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qgb7hub2vpje6afbjtpuxvxirskgxq6suf7nenuhsjbg2mtyhzkq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6e519bc15ada2a71728074fba50228c1bdf1668e52c857d20f3d7c7e3bc9b5d2

Formbook

732ba957311e662ad12d7a11cfb649842eb17098a7ba83d31a315fc0d53460df

Formbook

751979a730418403c73ea0e14c8ad5d77d4fd95de07a9cc24aa3ca21650ee1e6

Formbook

8da7f3f5c82fa1468900d1f92ba263d74d62d0ec4c2128d4aaa260a0baca27a3

Formbook

ab014726aed51970dfc05e4afc3269d5d4ab208c480683ca4da49fe07d3fc90e

Formbook

d434a9f3609e63a13feafd0bc3bf29abac38d194b72220d9e51054abdaf84826

Formbook

e7577fff79de0c5b21ec3684a69f99c795cd7f945c3c71b9b4f414e07a7e34fd

Formbook

+ 508 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230921-g1f9vafg95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

ceb79e1fc62ddad6e0d0d8f5b5ce90befdddf59e00454b7f55b812f4ffc813da

MD5 hash:

2f6197434ec7caddbe49f407f48e48f8

SHA1 hash:

ad2beb15388893bd83886b0d126f2f44d0519588

Detections:

XLoader

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/5feb2d9e-a638-48e6-acec-13600c5eaf45/

SH256 hash:

8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55

MD5 hash:

9809924a1fb0082898813c23dbc84b24

SHA1 hash:

2ed5dd6107be77a09812f45993604ed496417d0b

Link:

https://www.unpac.me/results/5feb2d9e-a638-48e6-acec-13600c5eaf45/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8183f3d03aab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2712651/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/450258/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample