MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897
SHA3-384 hash:	65d119ef0fcba81b24aa1014647b39c5903567702c13ca7543f09f8857ee0a2aafccde8c5dbee9818280078465d27ad2
SHA1 hash:	76dcf3e77fe1811ea01aac8e13d450b4e93a057f
MD5 hash:	96bdda944caca2403bd9bf140c37400b
humanhash:	purple-emma-four-friend
File name:	SecuriteInfo.com.Mal.Generic-S.30428.6707
Download:	download sample
Signature	Formbook Create hunting rule
File size:	244'518 bytes
First seen:	2021-05-26 05:57:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:8shNdrHEcWM3VNS8OU5KjWp86RqJFtXclfR+yAVqElcR:F7rkcWcN8sqthVqwcR
Threatray	5'467 similar samples on MalwareBazaar
TLSH	873412A123D8C4BBF0A618305C266BE4D7F857053A52858FE7E50F2D2A315D3AC9C7CA
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Mal.Generic-S.30428.6707

Verdict:

Malicious activity

Analysis date:

2021-05-26 06:29:43 UTC

Tags:

installer

Link:

https://app.any.run/tasks/da9b5ea6-0e93-4d96-938e-3d241239f04e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/162213/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.30428.6707.UNOFFICIAL

PUA.Win.Trojan.Casino-141

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/792247

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-05-25 19:27:34 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3bu7uj75lvncffqj6imfolywewbazoaxnotmcylhctsa2ttlpclq._file

Verdict:

malicious

Label(s):

formbook

Formbook

744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc

Formbook

78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c

Formbook

82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886

Formbook

ae5df8905dd1b9de509e6764dea4c5571916b1705a129bddf2f5e2e554552acb

Formbook

af2f2ca290589cc5582a0da252931b616dc62a88f53a9f9e00e9663b3ea2548a

Formbook

b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

e47fa9824fd9f5f8e8b42fb02f53cfbf57b7c784d54c9e76ed247a9d297835cf

Formbook

e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267

Formbook

+ 5'457 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210526-kn4mfs2vle/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.knighttechinca.com/dxe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162213/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample