MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9
SHA3-384 hash:	5597dbfaae4a7d417866fd2ec03362bfbc37dccd543c4fc88ca1a318c8582ae4220ca777010c1f47a00766ceb057b74b
SHA1 hash:	268a7a85813de0d0fe2e71b43a6c3e87cdd50bf6
MD5 hash:	f5befba30d68a0c40b21e441f8faf9ef
humanhash:	hotel-september-bacon-green
File name:	tt.copy.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	245'633 bytes
First seen:	2022-04-11 08:09:11 UTC
Last seen:	2022-04-11 09:04:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:HNeZmHpeFbPBakXaagvOoUQSGFrLbXYjO:HNlHOP4kXaagvOQjF3cjO
Threatray	14'797 similar samples on MalwareBazaar
TLSH	T1723412547914D403E972053B1F392EAB9EFAD6322431D31B1B601B6E7E53B62811E3DB
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

tt.copy.exe

Verdict:

Malicious activity

Analysis date:

2022-04-12 05:49:46 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/38d2d147-1e20-4d3c-923e-b3ed4b57cb28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262614/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.31286.12379.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Sending a custom TCP request

Searching for synchronization primitives

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13436/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe formbook lokibot overlay packed python shell32.dll virus

Link:

https://www.filescan.io/uploads/6253e26104b81dabe27e1beb/reports/a196ceee-05e8-47c2-a696-05de8d62aaf4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f7536776-ae8d-40c1-b308-748b631378cc

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/974345

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-04-11 05:22:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ql2tfwklrambr7fumm3uevtdvkdkcasupei5dwa6wwnxkitou34q._file

Verdict:

malicious

Label(s):

formbook

Formbook

51ca9a86ecb638b2805cd27a752159a05d4a3317c11ea43fb0f0cca78601c8dc

Formbook

76cc06bfad45121afa9c1b5ac81cfc129a3a16a388170a84e895ed099ccccecb

Formbook

945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5

Formbook

995ed5a87efc98cfc45cd810d470bb7aa28a8e598da4a27516892bffdc99ac27

Formbook

c61a915c345d7574f2730043bc34dbed169ccc9041205546bab4e60d5c0f21e1

Formbook

f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817

Formbook

fd47fb1d9ae6d4fa2d64afcc600498076f0f8803cb134782723c4a8bd0ae81b4

Formbook

+ 14'787 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:dw4g rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220411-j2pzgsccbp/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

6ae572dfafa980162ff4b75a7cbf371bfc6d0815dd3b257800ecf7daa2d63ed4

MD5 hash:

2903c624a294fa43ef1b64a7eb6a320c

SHA1 hash:

b42abbeb5242d192fb397e86ab3338d675a38d3c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/18304ef3-c031-4efe-82f2-dd11111fe1bc/

Parent samples :

f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817
fd47fb1d9ae6d4fa2d64afcc600498076f0f8803cb134782723c4a8bd0ae81b4
fe5228dc8dd399335b380e7cca9fa87c3742003c9836d6d9d8e2e6152d6914e4
a5e95ee8d1974c95a7346aaef53105fa6fd3eb6aea2e85e1e00e4d8f4052f26d
82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9
5280905309fe7450fe1fb925e25d59068772c0d1868b1c4ac6418d5f93e28abf

SH256 hash:

f70460316a8ad10247214b50788aa61bbc8db0b9f34bfe199146eb29d446628e

MD5 hash:

899d1bebd2aaca68051445c7f909ecc1

SHA1 hash:

269beea28d9169fb001bfafe589fe90a7eb58ec6

Link:

https://www.unpac.me/results/18304ef3-c031-4efe-82f2-dd11111fe1bc/

SH256 hash:

4f29d07b5eb8ba7e2aea66861107ae916baf749a4ee96eda2950fcd24920f1ab

MD5 hash:

5d33bf01953a250dad5ef51209dfedca

SHA1 hash:

c00bf3181904716000c291dccf64450d0e207f4a

Link:

https://www.unpac.me/results/18304ef3-c031-4efe-82f2-dd11111fe1bc/

SH256 hash:

82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9

MD5 hash:

f5befba30d68a0c40b21e441f8faf9ef

SHA1 hash:

268a7a85813de0d0fe2e71b43a6c3e87cdd50bf6

Link:

https://www.unpac.me/results/18304ef3-c031-4efe-82f2-dd11111fe1bc/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/82f532d94b88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 82f532d94b881818fcb46337425663aa86a102547911d1d81eb59b75226ea6f9

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/262614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample