MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0
SHA3-384 hash: a26aaac7b53ee8f2c0e4b3111640a011ca3c8bcc48a6155e1548b5f6c486973d149404fd181d444bece3b2d8f0dd0caf
SHA1 hash: e5c07db0dfa2eecb848131ee702ec2df408e7b20
MD5 hash: 671c417da43176bf5ed787059f578f51
humanhash: salami-early-carpet-seventeen
File name:671c417da43176bf5ed787059f578f51
Download: download sample
Signature Formbook
Create hunting rule
File size:247'109 bytes
First seen:2022-03-31 10:05:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmUB7qeXGjJEGVUA5BpODlAjiHLGh6CP4SmS94oYdw0a:HNlURqeXOJhayfOxAWy6NXSLMs
TLSH T14134128823E4C19BC5D359343C7E7A675BEA9E028444931F23607B4CBE77641A95F38B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260045/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12191/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62457d101f204239485b2f2a/reports/fef367d7-a033-4eba-a445-17a014b29949/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3434130c-c8e0-4c2a-a201-6793c2bbc59b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/968182
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 10:06:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:j37e rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220331-l43pgaecgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
67acfedd68af88fb3c481626185b8856817861c68dc658b56b1559d16820954e
MD5 hash:
f9a244255dfd955df71bd5efea8156d9
SHA1 hash:
7394fd41914e11d1b8e2ca04d3803d8b3a37fe4a
Link:
https://www.unpac.me/results/eac16eec-7837-44ef-8e01-44476642e992/
SH256 hash:
a50e91a0ce22c1f3a1334925d8adb61912258cef1a881cefda7343a2f6922ebf
MD5 hash:
154fe134b82fe92fb56d73e27f0d3b0f
SHA1 hash:
8fdca7101a35c905ff845648fbdd6f9a1403bd70
Link:
https://www.unpac.me/results/eac16eec-7837-44ef-8e01-44476642e992/
SH256 hash:
da6dfc55001f1cf3cf91be517e8604c210fd29fa70682a19a29071be4588332a
MD5 hash:
a4bec6151c3ebaed0cafed589847a5b8
SHA1 hash:
64e75b2ae3deed59ac3b3f875dac05d871eaaca9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/eac16eec-7837-44ef-8e01-44476642e992/
Parent samples :
7ba55a70c783f2c7abacc211f36b6c028cca7b3c4074b63ee23a468daf6fe190
af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0
4d7d3d03b92acfa2591526216b348015d62520c5cd6340f1da49a7023cae1bf9
0f560de21b29d2d5694282c718d3e87323d230d24065ead09d3b3988b6423840
SH256 hash:
af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0
MD5 hash:
671c417da43176bf5ed787059f578f51
SHA1 hash:
e5c07db0dfa2eecb848131ee702ec2df408e7b20
Link:
https://www.unpac.me/results/eac16eec-7837-44ef-8e01-44476642e992/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe af16c852a919a985ef1bc1a6f004104112e572d691948afe4c6a496b1b9ab6f0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2124026/
Cape
Cape
https://www.capesandbox.com/analysis/260045/

Comments


Avatar
zbet commented on 2022-03-31 10:05:17 UTC

url : hxxp://192.210.149.28/604/vbc.exe