MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2
SHA3-384 hash:	d159ed05a10a33103c26bfa723bb6150ba6371ee523bfa4cf70cc70a68f03411f0e3c888a14e8429c0d52ebaf07ae62b
SHA1 hash:	98ab22099df7d03efe0a7728e363d0c5c17efe55
MD5 hash:	48b97f7e7c934143dbfd62baf7a9a88d
humanhash:	white-march-michigan-eighteen
File name:	48b97f7e7c934143dbfd62baf7a9a88d.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	415'256 bytes
First seen:	2022-03-22 19:00:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:yGimK3keS1ZL2J1GVcD6oT8H25ZvvD4MKic:QS1ZiDGVcDxgH0Z3DZI
Threatray	14'320 similar samples on MalwareBazaar
TLSH	T1DA94F10A7890E82BD6C037744F7AD7F5A7B7AD981562411B2BF43F5B7AFE2438401222
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/255098/

Detection(s):

SecuriteInfo.com.MemScan.Trojan.GenericKDZ.85536.21410.18167.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

Reading critical registry keys

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/623a1d09dfdfa8501cce2e6a/reports/2b851821-5c00-45d8-939c-767d008a98d1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b411e62f-4c66-4d99-9461-4794143f3d0f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962062

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-03-22 19:01:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

5e6a07d2d47e34283f9467d1b4a03e8021a6d5225b93d88096b269fd6f7790da

Formbook

8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa

Formbook

8d08a6736ce2ad51b87e1f3e9577a53abd8ca055fb1d7027b97250cecabee199

Formbook

eb3760a4e141a5124a475ade9acb42a90791e769250aa588d79958a4c2268985

Formbook

eb6a3606545277e3af8270d85b4940be7a710dcaf11c7351755675d81ce82d02

Formbook

+ 14'310 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:m0e8 rat spyware stealer trojan

Link:

https://tria.ge/reports/220322-xn824aggb5/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

Unpacked files

SH256 hash:

a6d355bccc19e0a76a85bf02ed731bdd94a8ed83ad154828ad8821db617bf378

MD5 hash:

d90adcb8afbaa775048988b5c0c7f57f

SHA1 hash:

11d3ffaad538a216b4f598d1f394fac0aa29f918

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1c8573b5-5afd-4c87-b630-e0bd3a7a82a0/

Parent samples :

af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2
7074a1c66e9cb6a328332b150d8011ee1f1c3a03318e960fcca03fce5bafa64c
f490137bc9710fd4a050ec9a27436c4c76ce6419bd74c72c9314f340e6184436
5149235606930cbafbb8e2a9ec303b042d59e755afe1a6db66384c16360b7159
85dbc94c33a5988e9bc8e0fa2979b19504cfd1337a353fab58d6ef1d2c37f364
cad40a730db37853650add2b302af798fb0eb43cb266f51f78d927d487ad0f46

SH256 hash:

d5bc9ce1f0bb6dd2313011530f12139bbc4a80facfc2cfe620a754512936551f

MD5 hash:

7c6ae3ecbea53245dc416e1faa74d7fd

SHA1 hash:

0ba46e529db3b79a42b4949aebe2acb6b754aff8

Link:

https://www.unpac.me/results/1c8573b5-5afd-4c87-b630-e0bd3a7a82a0/

SH256 hash:

af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2

MD5 hash:

48b97f7e7c934143dbfd62baf7a9a88d

SHA1 hash:

98ab22099df7d03efe0a7728e363d0c5c17efe55

Link:

https://www.unpac.me/results/1c8573b5-5afd-4c87-b630-e0bd3a7a82a0/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/af0b3b4be6e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe af0b3b4be6e067411c7dd407bb6d9572d085c9961893555da88e2843493dc7c2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2111140/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/255098/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample