MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48
SHA3-384 hash:	a0271fa7603fc3d933ebfc987ae6d7afbfd409af2a0496aaf76771cbb4af56562a4d069a55dc58f50add7a2193704aa5
SHA1 hash:	3922ff18010e4ac942ec20033fa230d1d4a05118
MD5 hash:	a67c51bdb5f1a6c322f0220e639d0d45
humanhash:	mike-football-missouri-asparagus
File name:	SecuriteInfo.com.Win32.PWSX-gen.25985
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'042'432 bytes
First seen:	2022-09-19 06:45:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:A1ok9DKqz7Y/12uUbjToZdAcT1Fu1wJeDv2gBCB9xS/7qINShlqZSDmhAtx63dWx:U9DfzW4u6cXAcT18eJeDe4C9INotxTE
Threatray	14'418 similar samples on MalwareBazaar
TLSH	T16B25CFD6BA108556DC3A9476F8A3D1702FBA5CFDC2FEC00618D83E23B5B61B55863A13
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e8d4b2a2a2b2c4f0 (10 x Formbook, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.25985

Verdict:

Suspicious activity

Analysis date:

2022-09-19 06:47:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bc13df15-545e-4760-8460-5a9585efd271

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311198/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.25985.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6328103217fd4e865a08dee7/reports/5da165e9-1783-407c-bc0f-cf2cdfda0db3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e8e530a-d4cc-43e7-a933-7e0180fe70a2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1072724

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2022-09-19 03:58:13 UTC

AV detection:

7 of 41 (17.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6ficcubsgvinc2daexbo7t7xjtss5g7wq4pgfafzlvdlpvxljea._file

Verdict:

malicious

Label(s):

formbook

Formbook

7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a

Formbook

7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278

Formbook

a2161a7d0675f94235710ab04b4324c454a76b8f3c0a30ea2ba3777e197dfcea

Formbook

ba9e6da19bce3c2fbfe97ab569379e144838a6f9245c4f4581865bc5bab3d503

Formbook

d3fe4fbe955c26eb8ea6cb273a7102168e27bbfbf86cfbd5f9e1eaa3023e231f

Formbook

da37c66e5cc323386f9637b402df14fc02cd76eb9abc6853a458d266db163088

Formbook

+ 14'408 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:e7nb rat spyware stealer trojan

Link:

https://tria.ge/reports/220919-hjlzfaggcq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/45774f3d-7dfd-419e-9a5e-c0914c27423e

Unpacked files

SH256 hash:

db6ae0ccd2db56b33660156b9fb27c0f81a1c35e171f3464627d432eab2619ef

MD5 hash:

13359d2c2b1ab26168847e365cd43773

SHA1 hash:

97764b4ac49b29c23c7da8f746c12a2083c52d50

Detections:

XLoader

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

Parent samples :

7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
da37c66e5cc323386f9637b402df14fc02cd76eb9abc6853a458d266db163088
b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48
67dfdca1a2d42035d8ef9bde053531051793e2f13e30b8f1fe0a81fdd52e99fb
e5afa7413d271eb60f89be735d02aee02bb7390c022eeadf46ff30448416995d
71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42

SH256 hash:

41b028c61e5d5e961a675b3fcbf760e0495aaed32681847a01e2b0e9be704bdf

MD5 hash:

b7fd0ed124454c48dd419306d4e2acd9

SHA1 hash:

9ae87d0a7f0fdb2964b5986a229753c49d467a0e

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

SH256 hash:

8d99e1ed9bede4f188a844503ed4b4a902abb21452443f761a566245181abd5f

MD5 hash:

d3cd621598bfd7e14693a3ea808e7e73

SHA1 hash:

ef179dc8b95c0bf13ae7988d602d8c8d163002c1

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

SH256 hash:

dcda21ff59349c348f2a5ba5182339820ce80e5264ee539ea2697736be37a11f

MD5 hash:

2efade02b490aa14ed2f4dbf03b30b7a

SHA1 hash:

9573f00360b8385bf0a05c1575350fc8fcf8dd1c

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

SH256 hash:

82b966fec43cc2d0003627dc78af2580d769ffefb7c7dc60bcce126e3c126d71

MD5 hash:

f39662334fb704728120c3b4c8cecdbc

SHA1 hash:

61741d41d129250e33748fa687a562d998b1e173

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

SH256 hash:

44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc

MD5 hash:

d012ba9057bf67c7f29871326f2af919

SHA1 hash:

1d5b8b512b37f0e1900496b578117082929654c7

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

SH256 hash:

b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48

MD5 hash:

a67c51bdb5f1a6c322f0220e639d0d45

SHA1 hash:

3922ff18010e4ac942ec20033fa230d1d4a05118

Link:

https://www.unpac.me/results/26c02bba-5231-470b-a731-bb0dd8fbe765/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b78a810a8191aa868b43012e177e7fba672974dfb438f31405caea35beb75a48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311198/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample