MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0
SHA3-384 hash:	0e786701fe22bea9507e12e3bc1cce1a077f8649d8a34a703490543f3865f5d873dc65f7a21d5f93419c72951f610ba0
SHA1 hash:	fb86434ba87648368052989ce5a629ab47621bb5
MD5 hash:	b0d3ae56ef19c8176a8a705d368c9455
humanhash:	potato-quiet-diet-five
File name:	b0d3ae56ef19c8176a8a705d368c9455.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	200'555 bytes
First seen:	2021-07-12 09:15:01 UTC
Last seen:	2021-07-12 09:59:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:xMm4CCAj/eOHrHqN1+DvqMriXsL1SQE8vLFGI:xMwRLeOHrO1KvB+XsL1SQDvLFGI
Threatray	5'939 similar samples on MalwareBazaar
TLSH	T1211402457290C4F7D96A17710F789A11ABE6F51130F4970B8BB0EA4CB9B0BC2E98E749
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b0d3ae56ef19c8176a8a705d368c9455.exe

Verdict:

Malicious activity

Analysis date:

2021-07-12 09:24:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7f3a2f90-f6d6-4df4-8183-f634c42fbaa4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/171023/

Detection(s):

SecuriteInfo.com.Gen.Variant.Jaik.46770.23829.19789.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a078109-20e4-4461-ac0d-aadc63b82594

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/814667

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-12 09:15:09 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=34aivlhffat2cxqnx6hg5mpu7265n6x43pf27ylp6j5xkjszjpqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

0fdda8d99fa4bec3e24b20ace57759d6af0f643d835be41c1be0e93ebfc2970d

Formbook

35d5ace8383b8bbf1b4f1846b8f4c852899bad23312c02a1fa413c4d913e8603

Formbook

4718e1656f1f705c062702c9d6f26a0fc4de0a7fec3ced0e0b521432f5037be3

Formbook

8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce

Formbook

8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4

Formbook

968e33752d87dc19ca806c2debcf125a50f6223b5732eb3191b9d9c9db9cf4dc

Formbook

b21e4b93bd73868c7dcd13384c55c8c9b562abd7d858497a45f8a804ff639866

Formbook

c92701cd811149250de5cf99296d191459a85dd7776088394ea3e31e6beb26b9

Formbook

+ 5'929 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210712-rv18snmdte/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

5ff15cb9a8d67710a630867ef622b6bff24f3ee52ee6844c9027b0455a71e2fb

MD5 hash:

c8a9188528db8956650b728924c2e513

SHA1 hash:

d3c6cb5fa7ad84cf1b41ff56ea6e2843beb11642

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3824fe18-fd60-4112-bbae-760db242ca67/

Parent samples :

0fdda8d99fa4bec3e24b20ace57759d6af0f643d835be41c1be0e93ebfc2970d
8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4
35d5ace8383b8bbf1b4f1846b8f4c852899bad23312c02a1fa413c4d913e8603
0269bbd8953a859b8f56784a8321414cb8e51f74a8c95d9121c7fa484db2e34e
968e33752d87dc19ca806c2debcf125a50f6223b5732eb3191b9d9c9db9cf4dc
b21e4b93bd73868c7dcd13384c55c8c9b562abd7d858497a45f8a804ff639866
8a10e17372d6f0d1216481058f73b83733ffbdd61ccb4a92ac7543b0308bc5ce
c92701cd811149250de5cf99296d191459a85dd7776088394ea3e31e6beb26b9
df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0
0cf80c8f64e7d607ee9088aaae888815ef75788f4f425b8fed868f0b057abdee
d8dcaea8f4111f3d9f443de90a88ecc27e9e3a878d86d923738059a6c0bafe7c
9a2b8fc3a21d660a2d8526bd1816b1304d60046e26c6d33553701d3883a6d31c
1a222b6d3a94cd1c8447b52f150e6d7dc20842da0d2e81ccbd0d6ecd5d01f59a
39d6d6751f8690fc26a41d18d14f076fce5cdffeceecdd1738d731e4ce7ddda5
11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
47084efc1f6a0205db28ae519b750bb03bbfb310609f9924e999e47bd99838dd
3759a4136f3ab450b1c26121511bdfea101baf948b580af60516c8c2d5c7b900
537a1b1e9a633875a74664967b2e62803f01b619fb26df9b4762b6795ee1b0ec
ab101d01bcc79b6835eeeae5c3e89b0857fdd3b32e007b15ec5541a5f4aa9e00
ef925865b194ddd0d59233fec99f8e3608a623c3d4f7eaaf34b9af57f9bb0a82
f51f764b6ee4051c097c29478b9fe1bea52df1be495c236bfc622477533e5ccf
84679ca59603f405a5096114188af75d5dcc3680ef795e446bd358f48cf12046
56037f063f73db6d972501996ef47add6b861c01140c3d8d51cc08de64b3d73a
b840f470d0cb4edaa85663b15f539593e3c31d81cec9e9ed1bb1c2539fc8d20c
56d6f10098e58e9b99da5ac5a8ed3c9a1f37eff6b2361907316cf3222f8652ec
a456a011d3554d95939f148a5bd1e46c5fc13cdf3e35e76da3d9117903bf89b5
368b6977de3879f6399b1199a740aea7457cbdc53aac44823d3d3f704fac1d7f
273f8137fbe63ffef8f64fa9efad27fac451ffec71edaf1a4a7769a277a2379f

SH256 hash:

501aee26ed1e9069b5f714c00893bc148fa36b054becd21e3a0b60320a8c2e44

MD5 hash:

12d6a494759a6d2e0f4be1b9fee8cc8b

SHA1 hash:

020ac2ccf645f496a93826394d7732c699ec4874

Link:

https://www.unpac.me/results/3824fe18-fd60-4112-bbae-760db242ca67/

SH256 hash:

add696a9ab5e7d99090d4daba5ae2fea385a1e0df6d5148ee2857a87376fa806

MD5 hash:

d997f5f8da4ddd3c8022a030b6af9d35

SHA1 hash:

e6cc1a74f963362ab7098c098737e1f24daa9e73

Link:

https://www.unpac.me/results/3824fe18-fd60-4112-bbae-760db242ca67/

SH256 hash:

df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0

MD5 hash:

b0d3ae56ef19c8176a8a705d368c9455

SHA1 hash:

fb86434ba87648368052989ce5a629ab47621bb5

Link:

https://www.unpac.me/results/3824fe18-fd60-4112-bbae-760db242ca67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe df008aace52827a15e0dbf8e6eb1f4febdd6fafcdbcbafe16ff27b7526594be0

(this sample)

Cape

https://www.capesandbox.com/analysis/171023/

URLhaus

https://urlhaus.abuse.ch/url/1335110/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample