MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17
SHA3-384 hash:	fbeba4a03829b5c8e983a3c7e76d410aa8cda9cddecfef8ad4e76fc07eb580745b9809d1fe8b859c55841182ed29a734
SHA1 hash:	9a0606c633ffe5ae4b6dcb7dcfba57b7e22cb05d
MD5 hash:	89cfb542cda6a428cc5c02feaf3c55f8
humanhash:	oklahoma-alpha-iowa-west
File name:	SecuriteInfo.com.Variant.Zusy.394472.15672.20727
Download:	download sample
Signature	Formbook Create hunting rule
File size:	198'124 bytes
First seen:	2021-07-22 08:47:18 UTC
Last seen:	2023-06-08 13:45:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ad7593902351b94d30c5d42690419916 (2 x AgentTesla, 1 x Formbook, 1 x Loki)
ssdeep	3072:p5y2zSw5QFZ5h8gOgXN15tm4Inoll4wegWYXzb+f3iIvwDrqvHDlkNBKrD9CafOn:Dy2OVbFvLKzTwePi+nQrU8+fLBcMQ
Threatray	6'727 similar samples on MalwareBazaar
TLSH	T1031412870B9FAB56C261D3B7429CE93BD636A1F3558F422B1715F70B80E11C44616F83
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Zusy.394472.15672.20727

Verdict:

Suspicious activity

Analysis date:

2021-07-22 08:50:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0aa8addb-508b-43f9-a07c-e9631f0df006

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/173264/

Detection(s):

SecuriteInfo.com.Variant.Zusy.394472.15672.20727.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b8c6dcf-746a-4ac7-89c6-5d34c9468e1b

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820023

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17/

Threat name:

Win32.Trojan.VirRansom

Status:

Malicious

First seen:

2021-07-22 03:41:08 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wzr75j3kvw7vots3xh3qjllit3aq6dlsbmfzmqphbmtust7ezqlq._file

Verdict:

malicious

Label(s):

formbook

Formbook

30e3ae78d7104db0f2d4efa2d4588b1dce2e37a5f2a51968add9337108e1d610

Formbook

71cb97b67ebcc50a0bef217b3ca9591cfa49f6b8c8d11ee9952c2cde0b7b6a51

Formbook

818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508

Formbook

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

Formbook

b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853

Formbook

b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897

Formbook

f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c

Formbook

+ 6'717 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210722-see98x48pe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.yjhlgg.com/grve/

Unpacked files

SH256 hash:

8afb4b443e7cd9530293d42b0782a7c08e4c25f2bb33b15613bd5e016b47937a

MD5 hash:

3262a0b94c21371f333e342b31f87f13

SHA1 hash:

fb42ef406ee76e6e84f8456188dff8f85401d981

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1317a123-7570-4c64-af7e-b06e89cdd8e9/

Parent samples :

e92575edf627cec919538f92983c709e468c7c671fc8f7df767624b514e3104a
71cb97b67ebcc50a0bef217b3ca9591cfa49f6b8c8d11ee9952c2cde0b7b6a51
b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17
7b40c9c16df4b35ae04076a8afd38c4fe4bf5525bb388ea3871ec2371fa9e049
57f24fb8b5067342be6583d562e3f4e2eda6657e6574cf41290c6c0faa6e508b
a3381d8be907792db980f3e9cca2965af5b5f9057fc717a5de48760feb45aa49

SH256 hash:

b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17

MD5 hash:

89cfb542cda6a428cc5c02feaf3c55f8

SHA1 hash:

9a0606c633ffe5ae4b6dcb7dcfba57b7e22cb05d

Link:

https://www.unpac.me/results/1317a123-7570-4c64-af7e-b06e89cdd8e9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.13

Link:

https://yomi.yoroi.company/submissions/b663fea76aadbf574e5bb9f704ad689ec10f0d720b0b9641e70b27494fe4cc17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173264/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample