MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
SHA3-384 hash: d73f3ba0e6c1509fd4580018df5329f84d681d9d20024650971dec7c68ba3d8d1c2208f5cde83ee09b49ead706f86736
SHA1 hash: 3b274838cd098c2f26ece2928300fe4f1e24a9d4
MD5 hash: a0bfccb8cc68d350b02287d70507e70d
humanhash: violet-floor-jersey-low
File name:a0bfccb8cc68d350b02287d70507e70d
Download: download sample
Signature Formbook
Create hunting rule
File size:281'510 bytes
First seen:2023-07-28 04:15:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:PYa689fXW3LMiiTEqOyYKFEZWAQoAALLg6UM6KYUvjuyT2XH9PDD0:PYS9fXW+TEqdXkLg6YUrui2Xd7D0
Threatray 301 similar samples on MalwareBazaar
TLSH T177542365F174DD27C4C006B8A8BA6D737D62FA2A40526747F7807B4AFDA1762C81E3B0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0bfccb8cc68d350b02287d70507e70d
Verdict:
Suspicious activity
Analysis date:
2023-07-28 04:17:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e42cbd7-8945-4e1a-acda-00a5c6a4e0c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/435802/
Detection(s):
SecuriteInfo.com.Variant.Zusy.477960.4794.15335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c341025154a489a4591a45/reports/f4bd0481-50a4-4a9c-96fa-35095b982e28/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/665851ed-155a-4d2e-9a97-b78ba6bb4eea
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1281590
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 16:20:46 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2wd34unkrwr5n3dsyhb23hbeybgf56l5jwt7r3nzycxaj5xbcgvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
043c7f4a6b3dbc62e5582fb0361676e8226c4cb9b0393638e646cf1545c0eb0c
Formbook
1583037e8ed80b3e80955da8e0138cbce6faf0fd0df77f50c7551d290ec67f2d
Formbook
252477ddf7161822a10afaca4c4322246669041ebef55db41b148694f0cce6ed
Formbook
3fe3d1dde71fcd12d4f23149c19255df9571bf3b5db5e221d9be7e8657e1aa35
Formbook
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
Formbook
9580bddf76a3d9179e760fba40850e85f6dc3baad1356165b78cf160bad11f28
Formbook
9c1292869bf34d5077f8f2bffd19ff671a0dcd996734c3d8af1e484cac42d80d
Formbook
a7cddad106ee53356655fadfaeaf3b2845aa20de20fbc772cc81866d19993d3d
Formbook
b9fb6cc26328ecd1dfcd7f7296d3a5da0bbf305bbe86484aebc0a03c7162e876
Formbook
dfa84bded26fb89af99cb0811c97c310d2cb0232fc2198970b0c9d9ab509eefb
Formbook
+ 291 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230728-evsdtacb3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
f8432dfb629b133957e9d925cba1c531f16641f7c0c8a0bc5ad66bb4743a1ffb
MD5 hash:
4c4619983a4126b5c893382eff024d14
SHA1 hash:
ee905f683505883cdadebe8db2387bc755639952
Detections:
XLoader
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/f4447c1c-c063-4930-9211-2afac9cc992f/
SH256 hash:
e4f91a7abc25794fbe1cfca6615291eb0e1ee971917b36692b724d399cdda125
MD5 hash:
5314bd600681c1e2ae719eab2e675939
SHA1 hash:
2f92ca1b9ee548b6becf28d521c64faa9ef08e32
Link:
https://www.unpac.me/results/f4447c1c-c063-4930-9211-2afac9cc992f/
SH256 hash:
9cba1183ed6a9a89a34805730da01edaed2026b3d3cad0e3ef9710fbeb3ec442
MD5 hash:
9da370474c2a7427495e83bed70b87ab
SHA1 hash:
de2b22ba5cf618e0fc6ff30a8927820f1544068a
Link:
https://www.unpac.me/results/f4447c1c-c063-4930-9211-2afac9cc992f/
SH256 hash:
d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab
MD5 hash:
a0bfccb8cc68d350b02287d70507e70d
SHA1 hash:
3b274838cd098c2f26ece2928300fe4f1e24a9d4
Link:
https://www.unpac.me/results/f4447c1c-c063-4930-9211-2afac9cc992f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d587be51aa8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d587be51aa8da3d6ec72c1c3ad9c24c04c5ef97d4da7f8edb9c0ae04f6e111ab

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2691362/
Cape
Cape
https://www.capesandbox.com/analysis/435802/

Comments


Avatar
zbet commented on 2023-07-28 04:15:25 UTC

url : hxxp://103.16.215.196/OneDrive/wininit.exe