MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5
SHA3-384 hash:	54ce4c560259327d71fde3516a18478ef5be5c292719f394a98ff6dda29522816c3736fe09f5582bb7cbc75522c7d544
SHA1 hash:	ccd23a6c42cd59bc86121ba5020880aa64bd01d6
MD5 hash:	4a6936cf7b91118afa0e4bd5a2518c19
humanhash:	lemon-fruit-venus-beryllium
File name:	PURCHAS.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	722'432 bytes
First seen:	2022-03-30 13:56:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:IWqcZ8hFFWFRBSNPlC7AKqIIXGPG/IgkzKCb/4q6kze+l9Fq:3D8wRQNs7+RWPG4z9/4qdZ
Threatray	14'501 similar samples on MalwareBazaar
TLSH	T178E4E016BAA5C816DD18173680F1DC780332BF52A973E70F79E57D6B39333E20A41A5A
File icon (PE):
dhash icon	7cf6b6aa8ed0e8b4 (18 x Formbook, 3 x SnakeKeylogger, 2 x NanoCore)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/259707/

Detection(s):

Win.Dropper.Jacard-9878052-0

Win.Dropper.Formbook-9917440-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Searching for synchronization primitives

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/624461b1a19c649412acb5eb/reports/a0193823-ecc1-4a3b-8501-9095bc0f9d84/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f25cd021-ead1-4356-a5c3-1a9b7c593367

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/967625

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-03-30 09:38:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2h2dnnsncylz4ber233jdqyfwmpqlvu2irqelxgkpxj7hccvtlcq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2

Formbook

6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e

Formbook

8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa

Formbook

9ce095407360621d73c9274fa4c8ada20469de99c13dfa17c546c50516b0e9b0

Formbook

bc91c7988916b582c31a55f44cbdebcfae416c3f645bf8826485fc358e0ac0e7

Formbook

f199872c7181357c0f97b1c5415251a41b0588af401461f319fafe94b2ed4653

Formbook

+ 14'491 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:d1n3 rat spyware stealer trojan

Link:

https://tria.ge/reports/220330-q88thacde5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5

MD5 hash:

4a6936cf7b91118afa0e4bd5a2518c19

SHA1 hash:

ccd23a6c42cd59bc86121ba5020880aa64bd01d6

Link:

https://www.unpac.me/results/72f7d774-9046-403b-b496-5e029b766ace/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d1f436b64d16/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/259707/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample