MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51
SHA3-384 hash:	664a19a29573b9acb0e402835e32222ac0e68dbac32a593f7da6ad60e708da333d2f4952a86a4f06cc4ebeceb8cede83
SHA1 hash:	be8b977fad9149cb1e04567daea3c5157dcade47
MD5 hash:	c7157eeb8d5362d452dea1ba26b1b67c
humanhash:	carbon-august-ceiling-november
File name:	SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80642.18653.11801
Download:	download sample
Signature	Formbook Create hunting rule
File size:	304'199 bytes
First seen:	2021-11-24 21:05:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGiaAXCb429HwprhohVtThz/9VE8z9SLzAOVzF4sLoAqnVFxl:6b425wprWtVz/PEugAOxF4yohHxl
Threatray	11'622 similar samples on MalwareBazaar
TLSH	T19754222627D44E37CF0604B21C3BA77E9BB7A1E082116ED77F50ADBDF218992590A713
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80642.18653.11801

Verdict:

Malicious activity

Analysis date:

2021-11-24 21:15:41 UTC

Tags:

installer

Link:

https://app.any.run/tasks/ed6d7eff-5f17-4988-b920-854a52c7f2fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80642.18653.11801.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/619ea93ef36138de3f3aa048/reports/a9de91ae-97e4-45af-b87b-7cd819b72eea/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a0f06f3-7ef9-4f9d-8b07-481fc07a0c4b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/895770

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-11-24 21:06:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

26b24cfe3b0bb84b26fc83ce689b74728ac61f32391772dcc76eab04cc7042b5

Formbook

28b7c509a791caa6448666e9ea27d735770665cce23d0ca8a05404f41db299ec

Formbook

4a2907475d0024c654da40187933dbb740f743d6adaeae9595c43502e2092772

Formbook

578a65819b95b3c817cd4d6dfe3ef9855ffb7309ef3ae8ce904fb558e262a86d

Formbook

6af0f1291317c39b44b04f067cba3aba04781f54e2dbc8932acf57f321fdec76

Formbook

6c505769c3fd238742b1a9ae5620afc9c4c24e37c5e749feda8eac24417faa23

Formbook

7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0

Formbook

a33cbeb94697eb2355ea92f44f065e52461adaf621ad548d066dc73d6d76eeb9

Formbook

+ 11'612 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:h2b0 rat spyware stealer trojan

Link:

https://tria.ge/reports/211124-zxqm8adfej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.brocoser.com/h2b0/

Unpacked files

SH256 hash:

b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51

MD5 hash:

c7157eeb8d5362d452dea1ba26b1b67c

SHA1 hash:

be8b977fad9149cb1e04567daea3c5157dcade47

Link:

https://www.unpac.me/results/5d9f6018-6c1d-4e74-9aa3-4bfb617fdca8/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b52af14eb676/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1813697/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/209199/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample