MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc
SHA3-384 hash:	7c4ccd7121af0919378d1de9e3e50b0d3fa4aa6c5f241217721c6c44d500b1fd00e2f33a1f3982a7b89b80f48e2ee6a6
SHA1 hash:	a828a27ba49cc89113fd059e5d2fc044ecb5b25b
MD5 hash:	1bcd242e21181da424e62eba71f13e1d
humanhash:	london-south-music-juliet
File name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.19106.22726
Download:	download sample
Signature	Formbook Create hunting rule
File size:	289'375 bytes
First seen:	2021-10-28 12:50:25 UTC
Last seen:	2021-10-30 05:15:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/cMN5CcwzeG1a9HswxO3GsWif3qFKdzIKLXTQhx:CeMN56emEHeGsd/qFJKPC
Threatray	10'903 similar samples on MalwareBazaar
TLSH	T11654225E37F25873D9886270462B9337F379B6880021C19BCFE25FA635A16C3E902BD1
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/200929/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.19106.22726.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/617a9cb9db358dd15ee318d6/reports/1a40f42c-9510-46ff-a40a-11eff540e902/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba210ff6-f8f2-4ca6-8fef-507e828a739a

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/878582

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-28 12:27:53 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

32b793817b07a78490aa882218fb2880723c7ba23381545a2d7facfe0cacf4c1

Formbook

4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301

Formbook

5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979

Formbook

616838e6dfff493e546f51436ee3c0bbe99d459c18abbbb71a6207555e9d73e6

Formbook

9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

Formbook

a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d

Formbook

d6a8c5f4120e3be2e6d676d808dbdadc074f811398ac5b03878baba7275137d4

Formbook

da2458789c338c2719661254515dba2fc92c21ef91a11da3d192a6542ca56814

Formbook

fdc199cc7273334e37c54304964720393d2431955627567fc44c6b68a3c3e056

Formbook

+ 10'893 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:dyh6 rat spyware stealer trojan

Link:

https://tria.ge/reports/211028-p3gx6agdar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.tttk8.site/dyh6/

Unpacked files

SH256 hash:

8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc

MD5 hash:

1bcd242e21181da424e62eba71f13e1d

SHA1 hash:

a828a27ba49cc89113fd059e5d2fc044ecb5b25b

Link:

https://www.unpac.me/results/ed074309-bff1-41af-83ac-204ec228252b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1722930/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/200929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample