MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d95c31b30732f5863884166f1c2c69de4426767f77898c3d6f396bc98924de1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 15
| SHA256 hash: | d95c31b30732f5863884166f1c2c69de4426767f77898c3d6f396bc98924de1d |
|---|---|
| SHA3-384 hash: | e225f982c3cd766e5f7238d07c45092e2fc54bb2ec72c13260efd61dcc49f8fecac271dfc4d70bf6bc27dcb2c9b171cd |
| SHA1 hash: | 9aa775fbb33787bc17728f91dfd5be8837f26036 |
| MD5 hash: | 299384d76f888a1ac0a72a4aa8e711c5 |
| humanhash: | failed-fanta-ceiling-nevada |
| File name: | 299384d76f888a1ac0a72a4aa8e711c5 |
| Download: | download sample |
| Signature | Formbook |
| File size: | 233'800 bytes |
| First seen: | 2022-11-18 02:33:43 UTC |
| Last seen: | 2022-11-18 04:41:19 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki) |
| ssdeep | 6144:MEa0Nrs8Lp7qofDUGbNqTso6ykjAlxNXCFTy1Og58UM:XrsCRqKUgG6yWPy2UM |
| Threatray | 20'171 similar samples on MalwareBazaar |
| TLSH | T15734135673F6A1B7E68AB2300DABA736E3FB9011511335CB0F08A9FE5A943138D191D7 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe FormBook |
Intelligence
File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
299384d76f888a1ac0a72a4aa8e711c5
Verdict:
Malicious activity
Analysis date:
2022-11-18 02:36:02 UTC
Tags:
formbook trojan stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Reading critical registry keys
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
lokibot overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2022-11-17 16:26:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 20'161 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:3i68 rat spyware stealer trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
4c35be96dd2b479e85a1ede895a4b9b39c70b5cbaccab7f73cb11f5118505656
MD5 hash:
df6cbb7758770b619896f37c1dbb9faa
SHA1 hash:
c2c86d059334ca1902db397c84ec60d1909fd589
Detections:
XLoader
win_formbook_auto
win_formbook_g0
SH256 hash:
306ac5974f21c3f2ce0b30926f2f27471954698dee989ae91990655a5f703dfd
MD5 hash:
fc3efbd23849aff7c470bac8c9196ca4
SHA1 hash:
04a7926f1bee4fd61d9833621d54357914fdf32a
SH256 hash:
9b2f051ab6dda78afc3654e5c0f01e4bb3386a2206042e3d1a70f5be76268b8c
MD5 hash:
742275e90b462cfbfe73a63af5fc5432
SHA1 hash:
81634ba97d2a07926a4984dcc216ff387e36b2e8
SH256 hash:
d95c31b30732f5863884166f1c2c69de4426767f77898c3d6f396bc98924de1d
MD5 hash:
299384d76f888a1ac0a72a4aa8e711c5
SHA1 hash:
9aa775fbb33787bc17728f91dfd5be8837f26036
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://precastt.com/tk/tkws.exe