MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9
SHA3-384 hash: 569d1903415e2921940f5a2d043ae55202289ecddbcff818f857e29ea804174706942a07a20ddd5b3e657945351e2ef8
SHA1 hash: f57893ee437446d4fb40e6a0642d1cf05965fb72
MD5 hash: cb98b8cb0d393f8139a8b472e1df64f1
humanhash: pizza-comet-mockingbird-mirror
File name:COMMANDE EN VRAC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:301'056 bytes
First seen:2021-09-29 11:23:51 UTC
Last seen:2021-09-29 12:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f249badb491e7862c803d80af2d74342 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x Formbook)
ssdeep 6144:UurNbTll262Ad2J/JIpQSH1u1gQNdcpBnvhqcPI1+uSzy:XrNbTzOA01J581uiXBnvh5I1ay
Threatray 8'285 similar samples on MalwareBazaar
TLSH T13454E150E180C6F1C702153E9825CBECA13F7D4DFBE8A2776B1526DFAE79193B522242
File icon (PE):PE icon
dhash icon c3b0f8b292dc30c3 (1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
COMMANDE EN VRAC.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-29 11:26:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4b443a33-883a-45ff-a618-c0a84a737e8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193112/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19540.10644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bc1f74e-08a7-47ea-8e61-edc0afa559e5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/860970
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 09:57:59 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpw4xz3474du446zeznvzvg7vosxwvzqmwy4wnxhsreibjkchhuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7
Formbook
1d03cbad439f831d0cdd34e444ef7d054fc46370025a2ee70a29abc50a178cd4
Formbook
85e45fbdd69f39214a4e3f588d14b1be4a7d81f4503813e1ab834c3525e568a8
Formbook
97d4de7a9478320c718f18c0f57349cfc611f5dee0aab5271304e4670e63d2a8
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753
Formbook
cc0c4f8f34907be8839ae185fa40e5d7ad5279b70067a3279501d18483b590a7
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
+ 8'275 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dn7r rat spyware stealer trojan
Link:
https://tria.ge/reports/210929-nhpxlaehdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Formbook Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.yourherogarden.net/dn7r/
Unpacked files
SH256 hash:
37ded35a9642064abf77680a8001ed61ab3e44f02d087aa2c298dad5354c9d09
MD5 hash:
69c5fa95dad7d3f16e220f9a83ab67ab
SHA1 hash:
4891df071dcb5f455770a9b51dcaa56931ba8811
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/53447722-50fd-47e8-b5c6-ddaa1d651394/
Parent samples :
bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9
218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321
9e13a5c939cf22a9d4b60631d6c397903095561e51a9aaaca44be3666abf75e5
d54e341578828a215bbe78db4f2dc64a5388d4ce3bc7d6488f7bafb8c6b02d1c
59202d95bbcb9a85624ae56b93adeecc94b476a0131fe4670b718439ae4da1c9
c14ba2023f89dc57df157690e40042b8b090906257c59b6e5834b2212cd3142e
SH256 hash:
bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9
MD5 hash:
cb98b8cb0d393f8139a8b472e1df64f1
SHA1 hash:
f57893ee437446d4fb40e6a0642d1cf05965fb72
Link:
https://www.unpac.me/results/53447722-50fd-47e8-b5c6-ddaa1d651394/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/193112/

Comments