MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3
SHA3-384 hash: bc74c713843cbef8acdaaa36c11c647e0ed362cda0b135a9af6c7f8d24b902bd8d84ccfadb6736f5cda4ccad078e5e9e
SHA1 hash: e7fe177a4ed41658aa67c6879ecc5f9b9499357c
MD5 hash: e3c4ffc7526eb7346e7137f07be4afd3
humanhash: texas-washington-alanine-diet
File name:wrar60b2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'099'392 bytes
First seen:2020-12-24 08:29:45 UTC
Last seen:2020-12-24 10:49:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:KNRBfJXAEBguLm7LqkfuV1QH4J+f5S5IBf0AyJSNlz7wBOyZja:WRBfKEOPnE1ACAcK+PawDNa
Threatray 336 similar samples on MalwareBazaar
TLSH 2DE52322FAC048F2C5B206745575A776393DBE700F24A6CFB7A40C5E9F322C15A3A766
Reporter FORMALITYDE
Tags:exe FormBook

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
COPY CONFIRM.rar
Verdict:
Malicious activity
Analysis date:
2020-12-24 06:32:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0c60a9bf-04a9-4ece-828e-ec9dcb86cdee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109303/
Detection(s):
PUA.Win.Downloader.Nemesis-6718279-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Result
Verdict:
8
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
9 / 100
Link:
https://www.joesandbox.com/analysis/569636
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5sbge3s4nup7oj7kaby7sqdmkzwstc3lhssqw5chnsteyey43rq._file
Verdict:
suspicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
Formbook
2ca24ab7850aa7b67af4817c98c938b7c6e48f96028dee2c7fbe01f95d6f3ba1
Formbook
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
Formbook
77ec4cc85d8c34393dcbd4e1290e39dcee07c3468aff17e312929b84c9b6a2bf
Formbook
829b3df0c75971b19d658fd980bdf0302351bdf6ddbdf5e2f5d83632df72215d
Formbook
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
Formbook
896983bee32da4a300d89878e8c5f284dec5288d60b3610439146f46cb59fbe8
Formbook
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
Formbook
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
Formbook
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
Formbook
+ 326 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201224-bntgl6jxga/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3
MD5 hash:
e3c4ffc7526eb7346e7137f07be4afd3
SHA1 hash:
e7fe177a4ed41658aa67c6879ecc5f9b9499357c
Link:
https://www.unpac.me/results/09b3cca7-463e-4eca-872a-f66eb3257c57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Rozena
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificate

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/109303/

Comments