MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee
SHA3-384 hash:	40e209671a92f602bb064a1a4aaf171112f3076e4eb7233e546f1da1a5c84729ddf6a6f83be408f2c7464cdd9ce08325
SHA1 hash:	864447e507ab37f8c914e289a93cd81b685e7712
MD5 hash:	a945ee42b9e2b7b5d86d39fd848bbfdb
humanhash:	avocado-apart-fillet-triple
File name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29695.23267
Download:	download sample
Signature	Formbook Create hunting rule
File size:	352'026 bytes
First seen:	2023-12-01 02:17:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:P8LxBsiiQwQkg1wVvKw4qrwUukEJ5aZFFj/YmGe6GAWbFISmIUty3BsNqDSN5W:xzQVkgov3+pJ5aZTGeB7RIftMBsNqDSK
TLSH	T1D77422136BD38977D6B04CB44A37BB7DB3BAD16C1020538F97B43F3B7A611098928666
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/461543/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee

Result

Verdict:

MALICIOUS

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb25582e-bee2-4730-9b7a-b575b4490dca

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351021

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-12-01 01:40:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ot6gqlibtuf2wtpv75soe2bcjnapg5cjho4y6g3fu5325gfz3xa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:st58 rat spyware stealer trojan

Link:

https://tria.ge/reports/231201-cq7xladh9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Formbook payload

Formbook

Unpacked files

SH256 hash:

699c8d76ae54afb8e500dcd376031594d3cf40a5079a8c1d0aa4e37a8ce914d7

MD5 hash:

02e5c5593b536198b4bc23bec43601fe

SHA1 hash:

6516700de5bc8e495a9c1f50dc31ebff27f50985

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/fb9692ea-f0d1-4ca2-abb6-5e567938fa00/

Parent samples :

8b2f4933b09675c064d43be29eedb0b1889a99d9fb2efe91af0abb7a61974e3f
aaedbdb62b4df38b6c95bc44b7dd284a675d84db3bffafbf33cc5913c2073340
b7de2f470abe5e75130db25cdeed3b64e1c7419e08bb66c7e5dde9fbf07670d3
818f9ba3c7565feb703c742d5e4a8134582cc419dbbf315df8e96a2eacc3b710
a4896d0356ab4cc0e13987f3b6ae12f40cb95e9ff8c677e9cf68eeda54438148
eea6a50b731c378e4ed72fb32ee7c2e6c15739a24e7ea742601e6b8a522785fe
06901d6c746ff7a68ff33d42ce284d242e7e996dc23e321d551f604f62453a4b
1706343fa1e062d467f9b599776e7db4507a58d605122ccfaed8faa4f5278c1c
9cbbfc870ca06ad6a9140714a7d96086f4b9d153c460b9941eab0d8a8092460c
dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee

SH256 hash:

dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee

MD5 hash:

a945ee42b9e2b7b5d86d39fd848bbfdb

SHA1 hash:

864447e507ab37f8c914e289a93cd81b685e7712

Link:

https://www.unpac.me/results/fb9692ea-f0d1-4ca2-abb6-5e567938fa00/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dba7e341680c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/dba7e341680ce85d5a6faffb271341125a079ba249ddcc78db2d3bbd74c5ceee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/461543/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample