MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a07f1f0d93911f880923cb4d68f7edef004f110dc036d694acf90145e813a5a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a07f1f0d93911f880923cb4d68f7edef004f110dc036d694acf90145e813a5a3
SHA3-384 hash:	290e74da2712c059822706ec2092d2f87d7cbffbbb7784475e4bddb0a932c5fc4033319cca8e609eb1cb0a04091d3521
SHA1 hash:	199002736f329d94d25d3a1dffc2078d96b5ca05
MD5 hash:	e93f8b291deacdbbe9c1009935b87b82
humanhash:	hamper-delaware-uniform-vermont
File name:	Prueba de pago_pdf.scr
Download:	download sample
Signature	Formbook Create hunting rule
File size:	412'672 bytes
First seen:	2021-10-02 07:15:18 UTC
Last seen:	2021-10-02 08:27:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0c041fb9d9286e241f4f51f0ab8f3f03 (4 x RedLineStealer, 3 x RaccoonStealer, 1 x CryptBot)
ssdeep	6144:kcRKUL2Vk841Stjm66L2Fc/LqurUUAMbfg1UIqJL6UXbkIpOOhxxdeTr/ekI:/kUa14wtjmxj/LqruL6UbkINzxd6L
Threatray	8'338 similar samples on MalwareBazaar
TLSH	T1B894DF093282CFF2D57005B1AB16CBE1463DBC5D5C2F724BBB94765E7E3D391AA22242
File icon (PE):
dhash icon	1e6230f034b4b020 (1 x Formbook)
Reporter	abuse_ch
Tags:	ESP exe FormBook geo scr

Intelligence

File Origin

# of uploads :

2

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Prueba de pago_pdf.scr

Verdict:

Suspicious activity

Analysis date:

2021-10-02 07:18:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb0644c0-496e-41d6-a97f-a33248fa4232

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194141/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.15682.26678.26038.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9836778-4491-4181-95b9-11f4d504e3cb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/863100

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a07f1f0d93911f880923cb4d68f7edef004f110dc036d694acf90145e813a5a3/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-02 07:16:10 UTC

AV detection:

26 of 45 (57.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ub7r6dmtsepyqcjdzngwr57n54ae6einya3nnffm7eaul2atuwrq._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321

43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd

5f037c930f37e4307f4582f99aab214301591f3b87e9a0500cc3c7130fa209b1

85e45fbdd69f39214a4e3f588d14b1be4a7d81f4503813e1ab834c3525e568a8

9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095

bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9

cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0

f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55

+ 8'328 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:dn7r rat spyware stealer trojan

Link:

https://tria.ge/reports/211002-h3t46adhe5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Formbook Payload

Formbook

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://www.yourherogarden.net/dn7r/

Unpacked files

SH256 hash:

a07f1f0d93911f880923cb4d68f7edef004f110dc036d694acf90145e813a5a3

MD5 hash:

e93f8b291deacdbbe9c1009935b87b82

SHA1 hash:

199002736f329d94d25d3a1dffc2078d96b5ca05

Link:

https://www.unpac.me/results/5d5a93ee-3341-4b90-bdce-b5b2a279e386/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a07f1f0d93911f880923cb4d68f7edef004f110dc036d694acf90145e813a5a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/194141/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample