MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655
SHA3-384 hash:	4daa970537847c0c38fe6e5972e8f18fd56c53aa6b2affd7ab50e29a9e4cf1fbc7eee18f19e8a0934fda658d3d1a5b7f
SHA1 hash:	4bc52c2e50d060fbb7cfc9b8c4117d11a725545b
MD5 hash:	fb84737f40bc9ce4eef90b0cff517168
humanhash:	twelve-eight-sixteen-steak
File name:	sample.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	700'000 bytes
First seen:	2023-08-24 13:38:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:mbv/e1UGXD8sm9PVtcxZ0hTS3bIbEBgJmo:meUGXD6hmLPBgJmo
Threatray	1'652 similar samples on MalwareBazaar
TLSH	T1CBE4129390796A1DCB29A3F6B95B3BC41AEE3F0D43B19B31F8E69168830445951CC2F7
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

sample.exe

Verdict:

No threats detected

Analysis date:

2023-08-24 13:41:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5c03ae14-ac51-47ba-932b-cee9a290cdf4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444540/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Gathering data

Verdict:

Malicious

Labled as:

Trojan.FU.Generic

Link:

https://www.hybrid-analysis.com/sample/bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0ba01371-89cf-44d3-b680-090cbb46f797

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1296712

Signature

Antivirus / Scanner detection for submitted sample

Deletes itself after installation

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-08-24 13:39:12 UTC

File Type:

PE (Exe)

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmkivte2f25akcisj5wvbiim77fl6kvbfprchxijg3nitdrvkzkq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d

Formbook

4eecf4c73d1d4ce4d43ecd6b4d1d3e9c5ea8a310b2cb45e9bf16847863febf4f

Formbook

7ca3b28aa32d6b9bd972c430c47691db7212f9fd7b713c3ff2fab8b10a0bd66a

Formbook

ae5b79157725bbacf7138beacbb877a5144a3e5818232b5949032941df21f7a4

Formbook

b2f634be000cf32e481c6f66928d8a428a3481f17c7a045a39150bdf9ae6dbe7

Formbook

cea0844bf755c190793ac29a2cd95220862993a84c5924faeddce381fcdf063c

Formbook

ddb24ba8d91f511ca86554d35f16cb9ef5d6103f5275c90217bc8ddb35111616

Formbook

e8db90d8d2528f0767e5b82262223e07578e29f8e4166df3cf495318006ebbd6

Formbook

e99dc54786d789c023b028074e4fa0858d1cf59a04d7fd2f33319a24dfd7a978

Formbook

+ 1'642 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230824-qxy5xsed61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

e798bbbee8cf3a63d3bb9b8d69a8f2a7a4f4430aafb60989c84e330fb6a881b5

MD5 hash:

930097ff441e2fea473cd81cc776d9e1

SHA1 hash:

ce1e66a49d36736e16cfb2dd0dbbedcd824d3787

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/5fe189c5-058d-42e1-81ad-fe8b140ef0f7/

Parent samples :

bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655
e798bbbee8cf3a63d3bb9b8d69a8f2a7a4f4430aafb60989c84e330fb6a881b5

SH256 hash:

bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655

MD5 hash:

fb84737f40bc9ce4eef90b0cff517168

SHA1 hash:

4bc52c2e50d060fbb7cfc9b8c4117d11a725545b

Link:

https://www.unpac.me/results/5fe189c5-058d-42e1-81ad-fe8b140ef0f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/bb148acc9a2eba0509124f6d50a10cffcabf2aa12be223dd0936da898e355655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample