MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561
SHA3-384 hash:	1f92e0d6d23f7dd543520929945eef39637fdbceeb2b4261e662d821692b476ea6cef1474e9450bc097e8507c6b1ef1a
SHA1 hash:	9bdfce77846bfa373a88373b009df76d1bae191e
MD5 hash:	995af99408580d7fc0646715b7415b37
humanhash:	edward-sixteen-connecticut-batman
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.22775.910.6254
Download:	download sample
Signature	Formbook Create hunting rule
File size:	370'001 bytes
First seen:	2023-07-06 14:39:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep	6144:/Ya60G4z100ZEfEWCTCC6aXpJoubyFp/Zm4uhLZDGNZEQ:/Y6G4zlZEfEZC7gJoubim4u5A/
TLSH	T1C47423A096F4E0A7E4E357322CB778A95FE1D83538F8450A27645B9EF52F740A10D3B2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Gen.Variant.Nemesis.22775.910.6254

Verdict:

Suspicious activity

Analysis date:

2023-07-06 14:41:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ef86dd42-6feb-4ad8-8e3b-1dca3d3944b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/409717/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

SecuriteInfo.com.Gen.Variant.Nemesis.22775.910.6254.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/96035/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/64a6d24560057e50068458d7/reports/9dc2fb5d-f309-402a-8a77-fa698800140a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6e6345b5-94c2-457e-940d-1056cea23738

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1268246

Signature

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-07-06 07:14:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whd5qw3rc2fce5rq6enxj4ik5li5mwnfvsjvho6suzhytjhqsvqq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230706-r1vscadd4y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

4fdde4511ff4f233b5e46039a0e40b6057926361551ad84fd75452a169d98c0e

MD5 hash:

b69316ae3ba3008b8fefb6e8754450cd

SHA1 hash:

3ff9900b543632987962f26c5365fd3715b4fc73

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

29f405ec11948241e616eb03d9eb80cbed2ac9f515e5e0d8e74f1e7cdb45c588

MD5 hash:

0ff068698cfef3faa866928296b2c82f

SHA1 hash:

23bcfee5616d021b8cf845a755c5fae23c9a25a7

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

c32338cfc3b63975693a3e49a0a2d4d08a832b9ecc65e6f18b25140790df2de2

MD5 hash:

f3988fcf1d4348e0f71022b513b964cf

SHA1 hash:

e93061c33aadf7c7c70c1f077153a3c8446d08ce

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

4fdde4511ff4f233b5e46039a0e40b6057926361551ad84fd75452a169d98c0e

MD5 hash:

b69316ae3ba3008b8fefb6e8754450cd

SHA1 hash:

3ff9900b543632987962f26c5365fd3715b4fc73

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

29f405ec11948241e616eb03d9eb80cbed2ac9f515e5e0d8e74f1e7cdb45c588

MD5 hash:

0ff068698cfef3faa866928296b2c82f

SHA1 hash:

23bcfee5616d021b8cf845a755c5fae23c9a25a7

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

4fdde4511ff4f233b5e46039a0e40b6057926361551ad84fd75452a169d98c0e

MD5 hash:

b69316ae3ba3008b8fefb6e8754450cd

SHA1 hash:

3ff9900b543632987962f26c5365fd3715b4fc73

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

c32338cfc3b63975693a3e49a0a2d4d08a832b9ecc65e6f18b25140790df2de2

MD5 hash:

f3988fcf1d4348e0f71022b513b964cf

SHA1 hash:

e93061c33aadf7c7c70c1f077153a3c8446d08ce

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

29f405ec11948241e616eb03d9eb80cbed2ac9f515e5e0d8e74f1e7cdb45c588

MD5 hash:

0ff068698cfef3faa866928296b2c82f

SHA1 hash:

23bcfee5616d021b8cf845a755c5fae23c9a25a7

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

c32338cfc3b63975693a3e49a0a2d4d08a832b9ecc65e6f18b25140790df2de2

MD5 hash:

f3988fcf1d4348e0f71022b513b964cf

SHA1 hash:

e93061c33aadf7c7c70c1f077153a3c8446d08ce

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

SH256 hash:

b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561

MD5 hash:

995af99408580d7fc0646715b7415b37

SHA1 hash:

9bdfce77846bfa373a88373b009df76d1bae191e

Link:

https://www.unpac.me/results/6a44b81d-cbed-478d-9c01-ca907cb3c72c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1c7d85b71168a227630f11b74f10aead1d659a5ac9353bbd2a64f89a4f09561

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Formbook Create hunting rule
Author:	@malgamy12

Rule name:	Windows_Trojan_Formbook_1112e116 Create hunting rule
Author:	Elastic Security

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

Rule name:	win_formbook_w0 Create hunting rule
Author:	@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/409717/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample