MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8
SHA3-384 hash: 740e9ebcb1db2c56944a3a4ea325e8653a23f16a0916942f9c0b534e5ffad851248b2fe281f141719b2a9ef29b0a4008
SHA1 hash: a28f9be767b628af5954de4c0218d7c75e1bfe16
MD5 hash: a506ca65b78a0c3475f855f463c0ce06
humanhash: early-delta-purple-december
File name:a506ca65b78a0c3475f855f463c0ce06
Download: download sample
Signature Formbook
Create hunting rule
File size:546'816 bytes
First seen:2022-01-31 05:17:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:DcqcBcZtcZDcTcfHVO7JpyTazy8qhUCBpOD3DRNTxrOIQYpQqioR0smQY2FcehVw:DcqcLHVO7Jcjk3t/yaL0sjYDeUw
Threatray 12'937 similar samples on MalwareBazaar
TLSH T1ABC4BFB4A1FB8650F10E8A74656CF92102F234E3F9C68E395B257541CFAAF907E8560F
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Alligator Pty Ltd Quote.doc
Verdict:
Malicious activity
Analysis date:
2022-01-31 04:57:07 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/14641466-5cc9-4295-a702-3881d4286d5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228286/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f7710dd7fd65ae55fa9ef6/reports/054bd18d-c767-474c-930d-73024e1cc958/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b0c1157-00b6-40af-9341-68d7b7a21ef7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930544
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 05:18:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
50771a013c968d61b8e3111da3cb205f1d8878031c63bdbaaddaa87308a3e290
Formbook
5fabf5c9fcceb520d7023eaf53122959f42bdb4b1c82bc916baa4bbb94f787ae
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
96f1c5c1d23be195f1020daf8b7e179d77d6cd0b24cdda659b3af07da82b169c
Formbook
9e54c12e7b23d9988514b9aae1e3593b0a08814357860ff270f42014914b0a1e
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
c3e318eafb968f401d5165bb17e765613339ce25e4e48e99ea734580fae06d84
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
+ 12'927 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cw22 rat spyware stealer trojan
Link:
https://tria.ge/reports/220131-fzaj8sfdfp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
869f78b5a52c9e2d54a34e19c8971968ec06016b0693b162c4701128604625bf
MD5 hash:
6541a35c3fef646396355d208c9262ac
SHA1 hash:
3abcff512dc7476ccb1f97f402c7ee5fda51aec4
Link:
https://www.unpac.me/results/52dc644f-51e0-433c-9f7a-8c687d7646f1/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/52dc644f-51e0-433c-9f7a-8c687d7646f1/
SH256 hash:
3923e27b99f5261231ba3f47241c7930ab9b42cc4736ca5d6f60a6ad09540b97
MD5 hash:
a6f7e7288bbf6a0f1abe3d115f79da03
SHA1 hash:
4f7141b3221407d7b4b00d60682a933d868674fb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/52dc644f-51e0-433c-9f7a-8c687d7646f1/
Parent samples :
459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8
da00ad76bb648365108fb03a95cf69a56608e4605cfe02fcaf933af239ce7ac2
83a185ff11eeb89503c854f293b38c238e02022a357446017524bde45f085570
1088b355d40f002d623e85b8bfe0964599a45abb9fe6c8a4afc8289a85012595
d472be00c8fd766636fb12d2acb553ab17876fcf722587c87a8fca98a7d20aee
SH256 hash:
d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8
MD5 hash:
a506ca65b78a0c3475f855f463c0ce06
SHA1 hash:
a28f9be767b628af5954de4c0218d7c75e1bfe16
Link:
https://www.unpac.me/results/52dc644f-51e0-433c-9f7a-8c687d7646f1/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0eabfe28f6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2017576/
Cape
Cape
https://www.capesandbox.com/analysis/228286/

Comments


Avatar
zbet commented on 2022-01-31 05:17:26 UTC

url : hxxp://paxz.tk/mannseczx.exe