MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38
SHA3-384 hash:	a1d164be038a262a88430578a1fd20af94b5392a98a51d9db14995daf3b60f4a8bef94fe5904f7f99b5f10e918377513
SHA1 hash:	61f6ecdb564866cae9e21f15c18729336aad8e24
MD5 hash:	9cf74c9d95b6b41ddf3f67322a0dbd66
humanhash:	nevada-mexico-crazy-august
File name:	acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38
Download:	download sample
Signature	Formbook Create hunting rule
File size:	186'368 bytes
First seen:	2023-03-07 14:20:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:MWrlSVR9l3xjYPHtLyOc+B83jwS+B7ZrHBs+8bS4NJkEQ0u6ngBsulAVtFSZwYH7:MWBSH1YfYOrB83US+B7Zrr0zN9Q0uVBF
Threatray	2'337 similar samples on MalwareBazaar
TLSH	T13F041307C32E3889D6BFA5F2DD3EA17221AD4F13F8EA654D36ACB8176015B10496C17B
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38

Verdict:

No threats detected

Analysis date:

2023-03-07 14:19:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/245902d8-469d-4418-a8e3-27d73bba2d07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/372335/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/6407484f86426ca5a86ace6b/reports/0f32de85-85a1-48d6-a0ea-b73fe38ff12a/overview

Verdict:

Malicious

Labled as:

Ser.Razy.Generic

Link:

https://www.hybrid-analysis.com/sample/acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/375808cb-0a65-4ad9-b706-e4fa07cab589

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188949

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Deletes itself after installation

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-03-07 14:49:04 UTC

File Type:

PE (Exe)

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vtkemnli7e3dm6m3ffgmxs5pudkh6nrmskpa5hshocn5k653rq4a._file

Verdict:

malicious

Label(s):

formbook

Formbook

590277f960d74add2860c7332ae427eaea968bdf3bb4d5a8da5563a3115b16f7

Formbook

6e684555c5cc0b3e36348e9bf1c5c23cf8ae19790741344295ca741233c9b846

Formbook

79ae6681fe6fdf1d7810a3bf37811b7c49f706ca0f4c04ab719633f924f727ad

Formbook

8aa4a5feee91f2caa993c9624153ee2ecbe97098fc7470a5103c408376b2a12a

Formbook

933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603

Formbook

b69a68bd6dec2421c2f725dd9fd35f3923f81f1549a936a55d8d3a978362b952

Formbook

cbce721b186a5ebb1a2c51249571d8021cc67c019a0cfbc0cef73fd1de48708e

Formbook

e8120ddaa86fc56ab083a38b22ca366809e5d1196f3c10175bc745e3dfd15750

Formbook

f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841

Formbook

+ 2'327 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230307-rng1qaad45/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

06ff71bc998daf697ea74251c41e1c4a12280262afa6b2ce56619fb3a8c6919b

MD5 hash:

6cfaa6c9d9834cc8eb980f8469e2ed28

SHA1 hash:

519db489df2fc5489eccde2d215755f361177bd8

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6ca9dbae-89e9-4c36-9949-1e5a375d412a/

SH256 hash:

acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38

MD5 hash:

9cf74c9d95b6b41ddf3f67322a0dbd66

SHA1 hash:

61f6ecdb564866cae9e21f15c18729336aad8e24

Link:

https://www.unpac.me/results/6ca9dbae-89e9-4c36-9949-1e5a375d412a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/acd4463568f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/acd4463568f93636799b294ccbcbafa0d47f362c929e0e9e47709bd57bbb8c38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372335/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample