MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d
SHA3-384 hash:	249a608a7ad8e427a3c0de8a2489cb95d97abd807c1d956c0211a3e58dfbc4298879b6d6d2d6812153994dcd6eadabf6
SHA1 hash:	f049165f7a26e79d377c8a032fe1181186bec425
MD5 hash:	0c905119ef6b91c0f63e9aee600c0da4
humanhash:	gee-illinois-alabama-double
File name:	SecuriteInfo.com.Win32.MalwareX-gen.25506.17166
Download:	download sample
Signature	Formbook Create hunting rule
File size:	785'920 bytes
First seen:	2025-02-11 04:21:01 UTC
Last seen:	2025-02-11 08:40:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:OoaovT2lPK7JmS/swf/aJ6BV3HZW/k17s2hfzCiLWAarqXG621Ua0Ddl610p3IHy:P2BKQ0sTIHZW/ss25CAsjV1UzD
Threatray	4'438 similar samples on MalwareBazaar
TLSH	T1FBF4AEDC3610779FCC17D5358A28ECB4A65428BAB307B19395D7279BB94C583CF08AE2
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	44d48cc484ccc4a4 (11 x Formbook, 7 x MassLogger, 3 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

457

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.25506.17166

Verdict:

No threats detected

Analysis date:

2025-02-11 04:21:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8a10dd09-e45c-4081-9d26-f6e692d25812

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.25506.17166.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aad08049f32dfb0d82e8ed

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/659d7984-d4f1-49a1-8f5c-fcbd3908f1de

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1611715

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d/

Threat name:

Win32.Spyware.Swotter

Status:

Malicious

First seen:

2025-02-11 04:21:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=23l664g26c4f57v2vclzfcskjp4qfvsp3iqi6fsyvf5d4hmsoj6q._file

Verdict:

malicious

Label(s):

formbook

unknown_loader_037

Formbook

1baa49adfc29b9c617faf3d22a5f96cdd09f5e4f40ff311e310eebbba0b5b632

Formbook

8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d

Formbook

c6b1ba9ffe05a03d88f24ae7fe9c3543976d9c392862d4c2ca6ca2d53c4befd6

Formbook

ca1d2592c9726d9e3a6a57c55ac57b40d9aa3bc501393a40962afd5bd4946433

Formbook

error

Formbook

+ 4'428 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:da16 discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250211-ey3zqaxlas/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5b3d4df4-1e63-457c-8802-9594825868df

Unpacked files

SH256 hash:

d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d

MD5 hash:

0c905119ef6b91c0f63e9aee600c0da4

SHA1 hash:

f049165f7a26e79d377c8a032fe1181186bec425

Link:

https://www.unpac.me/results/f35c0ffd-2865-4f19-90b7-a0a26aae1bf9/

SH256 hash:

ee0fba010fac20a42bb77eff027e17985103af6f6e14f55cf160498aabf348be

MD5 hash:

1f4d5984e586ea953a6a46e442d2e736

SHA1 hash:

2e89b22f94ba1740325cc4149073b76dbed4e4cd

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f35c0ffd-2865-4f19-90b7-a0a26aae1bf9/

SH256 hash:

b7834978563fcd4cf3c114d9bbe596161296b4b05888efcebea3e2d032ac8779

MD5 hash:

84cb602525d33ef5147ead75d6030925

SHA1 hash:

be056c15dacf3e14e70d57a78f94c52614046d32

Link:

https://www.unpac.me/results/f35c0ffd-2865-4f19-90b7-a0a26aae1bf9/

SH256 hash:

481c56057ae1c10190d843eb27332bc7cac43993d12b99e665027fd3affc5124

MD5 hash:

cd983abdab097e7ed527ad9edfdaac1e

SHA1 hash:

e869955c24571606f75695f73de5f3b5a26d7177

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/f35c0ffd-2865-4f19-90b7-a0a26aae1bf9/

Parent samples :

02bab1bd1860192821c46d83a7fdf46be17a34788db60d45e6004e7a30f110d6
6042e232fb52a8ddef6d8107806b2eb734cf4a703941e4639e5d3aa8a27d2023
d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d6d7ef70daf0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d6d7ef70daf0b85efebaa897928a4a4bf902d64fda208f1658a97a3e1d92727d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample