MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a
SHA3-384 hash: 7c3cded7baa04a420549491b677edbbad6451c3852cef3724d2dbb87a6934cfbe58eb999e0a99d3d8f460cd2dc9193c2
SHA1 hash: 2bbbeb65af7089f73bb5974941d2ca877d19ce28
MD5 hash: 7210e586178e2a144a8f38e1d0814573
humanhash: equal-hot-lithium-magazine
File name:file
Download: download sample
Signature Formbook
Create hunting rule
File size:856'576 bytes
First seen:2023-03-23 13:03:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:z8QB+UZGELUTYB7T01XxBolcs/IGjqTxBvq:YQBhZVU8B7iBo3beTny
Threatray 2'331 similar samples on MalwareBazaar
TLSH T1D605E010FE7A4972F8DAE3B45450133A07A9BBA25066D6998EBD68C93CDFF6700D011F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe FormBook MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-23 13:10:21 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/4062816e-57af-4bd4-88c7-84adae10b3ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376848/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif packed threat virus
Link:
https://www.filescan.io/uploads/641c4e47b270ef3bdbe3c8ec/reports/232fbbe6-e521-4e1f-b1fd-49071d1df791/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12a60907-5ce2-492b-bf85-1152ff014fc4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200690
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 833598 Sample: file.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 4 other signatures 2->40 8 file.exe 3 2->8         started        process3 file4 22 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->22 dropped 50 Injects a PE file into a foreign processes 8->50 12 file.exe 8->12         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Sample uses process hollowing technique 12->56 58 Queues an APC in another process (thread injection) 12->58 15 explorer.exe 1 1 12->15 injected process8 dnsIp9 24 www.222ambking.org 91.195.240.94, 49701, 49702, 80 SEDO-ASDE Germany 15->24 26 www.younrock.com 81.17.18.196, 49705, 49706, 80 PLI-ASCH Switzerland 15->26 28 10 other IPs or domains 15->28 30 System process connects to network (likely due to code injection or exploit) 15->30 32 Performs DNS queries to domains with low reputation 15->32 19 mstsc.exe 13 15->19         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 13:04:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tb7uo7tcn5l4josebprqc2mvww45ons2iiwauhm34usojgj556fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
Formbook
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
Formbook
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Formbook
5a2e7eb559e1d587d537ff0033d00fb27f7e17bf0c2a5db6bb3842b9e2fa9972
Formbook
aeb52b6f9b9f7b458048aa0eba6255840d1a90f4309f18c95acc0f3f4b972df3
Formbook
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Formbook
ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Formbook
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
Formbook
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
Formbook
+ 2'321 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230323-qax94shg2t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
78a2b4466fbc186b8de6423771ab90dffa1566a2135ca9741d94526387570f15
MD5 hash:
26e7995333278eda4c3a54e570d09ba4
SHA1 hash:
5967ffee8562982633e3d4a9f8696853b298a1d0
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
Parent samples :
e62c1e809c48e66104c34ae3e977b82fbea2e984dee708bda431b608c2774c28
052b6162527da70a384bfa5712e60c065c4d449cc70b6619ec2a50c0a92e2493
1a5f6d761050ca929b99fc66e7c4b57f321421a7372dc752d8000e79bb920ca0
dc2f8a85b52e8562ada16c2ee6cda9770a3c010f894901844d0104476bae67b3
987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a
2333130311b7b060f360196c5629af0ca1919366d2de939c067e0396602d0acb
961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7
0b4d4ab86573d05f38f7d2fe83635c75da4462eacadd1859f00bdbdc3809f6fe
49c63fe83f7e41b112637d582cd180214acf60babf4cdd13a2629f9de3874fec
3ab1320757d68dbf0e5eb5d31cf81247952c244bbfbda9466cd83d112efc2c72
d546617fa87ea382d7d36b61fa9a69e447bcc69f9bb366f52f3c1df3ebf9254f
039e36a97d5fbc019edd6f7a69d2f89bc8ba24c73c08268831274fe58fa7dbfa
426c06ac810480970dbbd6cbfa2a6e9880ff50b35fd4576986400acce4af949f
00d3d0c49343dba533737e4a17cf453697aa569b00d07deb2cd7688c66d88ada
fe769c40bdc4ba83422c97df176374bb3846f4cc941ecbbfb47383321dfabdca
7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a
89fd567270112eb3494cd4253f2babe024465e60fb28c64800901ccdb3d7fdd2
2f06963075874a8b1b409c7d9fb443c4fffe7d8936936d49f00c0c5d1b71590c
SH256 hash:
e36372186eecde198f00b7f8c03de639d3c140c72fb92125aac96a916c6d80fb
MD5 hash:
dda34f0fa94e644b7a5d668cc280e7a3
SHA1 hash:
6ea3c9d56032544c49bbe677abadc2d7bea801b1
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
cde0d3400cd787fce5d1b95fa52908d64831430cc90dafddbaa79ae0d03bb3d0
MD5 hash:
06a5bc1d3143bcac174d81c5ffc09def
SHA1 hash:
650fb4549fb98ee4c7be5e03bf670241e6339cd0
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
SH256 hash:
8131b9bcbd70775534f3651e6a15a1512fe88e47b5f4c43abb94066180d9cede
MD5 hash:
2f7cad0361ecc8d11b14d4807f0a43ec
SHA1 hash:
40bd0a2b2e524b83977ce58c2ae75e78c151fc50
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
SH256 hash:
8cf5ea13b47e343736196df8ea4cb901a213357164b67c6c95342aea0717d220
MD5 hash:
eec918e2d762fcf4db81dbfb3744fb20
SHA1 hash:
3c277331570c2ef523252da6f674dadd7215fb34
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
SH256 hash:
987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a
MD5 hash:
7210e586178e2a144a8f38e1d0814573
SHA1 hash:
2bbbeb65af7089f73bb5974941d2ca877d19ce28
Link:
https://www.unpac.me/results/eff2935b-febd-4f8a-9993-9ff169a9c8f3/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/987f477e626f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 987f477e626f57c4ba440be3016995b5b9d7365a422c0a1d9be524e4993def8a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/376848/
  
URLhaus
https://urlhaus.abuse.ch/url/2581292/

Comments