MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1
SHA3-384 hash: 5bfd4c874464e76ea2d0bf5e3f4234ee96c4ae0699fc75edf8747acb5d9e9d9ad0f7d23904ba663b3a13897328e90d3f
SHA1 hash: cd3c27cd01aed1f5eb34da066f615eb27c383f5b
MD5 hash: 1cf29d6979f7c82f41f1893e825d3d54
humanhash: summer-sixteen-skylark-eleven
File name:SecuriteInfo.com.Win32.Evo-gen.29599.20086
Download: download sample
Signature Formbook
Create hunting rule
File size:342'357 bytes
First seen:2023-08-24 10:29:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:GYa6R2DqJEChtRRJ3ocb854YbL1Nr4iYKRiWVD433U7nIHB5:GYBOCt3161NrTFRiX2nq
Threatray 1'543 similar samples on MalwareBazaar
TLSH T13174F1116916D8FFE67F46F4143E79B45A43BC24980B691F23CB7645AFB8290E03B392
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a065646aeec646ec (21 x AgentTesla, 13 x Formbook, 5 x DarkCloud)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.29599.20086
Verdict:
Suspicious activity
Analysis date:
2023-08-24 10:33:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7984ab96-9060-4f86-9f6c-84b7a390ac2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444480/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.29599.20086.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108460/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
91%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64e7312cac089eb812462000/reports/53b8b087-69ec-4598-ac9a-bfaecfb1ae81/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4efb113-4994-4d60-a92a-9d1ede91fc73
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296585
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1/
Threat name:
Win32.Ransomware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 09:57:02 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36enhnreobepqlcoe3ljwzuugiv3uiu23ytov4jvlfbpm7ybjliq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14ae647473cbf4def9becdbbb1f007fd8c96c63be5c88014415ab13e6467168f
Formbook
5c58e2edb4b7fa9a04901a73e7f34e5a93aec5703e03ec87f79b2799b7be7119
Formbook
6e5d99d18277264f3c4da40f9ac2233e1adfde344174dcdcb9f06fc1ed545f80
Formbook
736808fef49ea666d160c9943b624f0ad79c3d10c44b8042a602d8a31d2465a3
Formbook
a4df6cc445d507cdbdaa4d25a5dcbe3c681d808214715b5405cd9cc9f9b143b4
Formbook
ab0843bedd48b6050c5549507e9297766ff8a12742b93ac408a517c038911a1d
Formbook
b2f634be000cf32e481c6f66928d8a428a3481f17c7a045a39150bdf9ae6dbe7
Formbook
b35cfe6096c42b13838fcad82902889405e6d37607aebd86ab982b47b610c80c
Formbook
b9919579d8d7357ce721b68c6e06709eb9a6fd10066aa0d238fccc55ef7d2112
Formbook
cdda311b19b7310a22c171a9e83e6eb26f0319b9ea904cd6cbbed31b371e8fc7
Formbook
+ 1'533 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230824-mjs5zabg98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
4c209d1f2fdf99bd95efa531c4a4a39b66a927eac901833fe73b407f5bcfcd09
MD5 hash:
eec4f3c04ac12176dfe7136120ec3f5f
SHA1 hash:
d7920a1c30b20b67babf16293e2f9b4b868a2d05
Link:
https://www.unpac.me/results/8b08cd63-645f-446c-b718-aa440239459a/
SH256 hash:
df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1
MD5 hash:
1cf29d6979f7c82f41f1893e825d3d54
SHA1 hash:
cd3c27cd01aed1f5eb34da066f615eb27c383f5b
Link:
https://www.unpac.me/results/8b08cd63-645f-446c-b718-aa440239459a/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df88d3b62470/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df88d3b6247048f82c4e26d69b6694322bba229ade26eaf1355942f67f014ad1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444480/

Comments