MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 17 File information Comments

SHA256 hash:	8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61
SHA3-384 hash:	6c7c2a9a3bb0790f40020c0af2380c7e3e346d4202cfe83388bcf32dc11313cb9160921d0204f6c889d54367523a7966
SHA1 hash:	62d9e7d13743972181cfae580d4d1ae6ace11574
MD5 hash:	8604069b558d82968d36724384d64715
humanhash:	arizona-blossom-winner-don
File name:	Wrong Payment Information.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	391'698 bytes
First seen:	2023-10-30 13:56:07 UTC
Last seen:	2023-10-30 15:51:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:F8LxBsLUGVlrw6NeTgtXNaTjx8JY9R6erkjYq4fIJWcK7lZa6B3ug:/LUEleAdBJ8iBRI7XaZg
Threatray	21 similar samples on MalwareBazaar
TLSH	T11C8423411B9744FBF6AE8A30D332DBFAF7B9810262515C4E57D02EBDBE54147CA202E5
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	cocaman
Tags:	exe FormBook payment

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457114/

Detection(s):

SecuriteInfo.com.FileRepMalware.7724.32598.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/653fb62f72356e4f29e9259a/reports/235c2998-69ca-499c-9729-f1ad1ccf14bc/overview

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b24828b-0e05-43a9-a391-50734d560948

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1334288

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample has a suspicious name (potential lure to open the executable)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses powercfg.exe to modify the power settings

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-30 13:15:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rfr6gjrkz4ames54yoce5xmquqiof4722tq37b2iytdzr2zbjrqq._file

Verdict:

malicious

Label(s):

formbook

Formbook

073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42

Formbook

47ac55851c62e30f0553a5d32f2b6a128f532b9904fbf5e100b53895ec8a86ca

Formbook

82f05aec2ded89e7956c4c559b3db88bd9cc4b90a0ab9fda2200493e56df09d9

Formbook

8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

Formbook

b253502d8bce85fda32fc5264bb7736c3280149b529fffc2e77f2c66257b0696

Formbook

da92f3184a36b6b1be15d1e93be7c31d173769241d1f3dd98bcfc22796fd9e69

Formbook

e5d7a9b5347d9c624a68faad5129bbf34be4de53e91375cb4f74b97bc2175257

Formbook

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231030-q8849sfb85/

Behaviour

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61

MD5 hash:

8604069b558d82968d36724384d64715

SHA1 hash:

62d9e7d13743972181cfae580d4d1ae6ace11574

Link:

https://www.unpac.me/results/3e3be5e0-483e-48f4-8402-79c6eea30963/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8963e3262acf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 648fa65ef2b55b32208a1406c8d220971389008132172a097a8321589bc9956a

Formbook

exe 8963e3262acf00c24bbcc3844edd90a410e2f3fad4e1bf8748c4c798eb214c61

(this sample)

Delivery method

Other

Dropped by

SHA256 648fa65ef2b55b32208a1406c8d220971389008132172a097a8321589bc9956a

Cape

https://www.capesandbox.com/analysis/457114/

Dropped by

MD5 30d9fed3cdab59f95cfa52d1770c25bc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample