MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e
SHA3-384 hash:	5dae24ef0c5930c99bc3a397ee3a992627d9fd4c093912d41fe2c0968e7b9f6ecf1a101a1896ff63375860d032c4075a
SHA1 hash:	67c77bde645eae0c72d6462c5e9e6ce6b32759f7
MD5 hash:	0d7cc3fef48ab286b36f7b405128eb2c
humanhash:	muppet-river-avocado-pluto
File name:	vlaves inquiry.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	419'029 bytes
First seen:	2023-10-24 10:31:06 UTC
Last seen:	2023-10-24 11:51:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep	6144:xfL+oqOx/AKSRoci2ovK8GHAWbPCy87dkHLicyFuBnpXiFA0revFeOe2j7vIemKW:xfLLxoKSWlK8MCZdALi8pXJ0re5RLk2K
Threatray	21 similar samples on MalwareBazaar
TLSH	T1129412806B718A91E0208A70197FDB164E7C2D3559A05F8F9310B93FBEF22C5966F71B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcd0d0d8d4c0c0e4 (2 x Formbook)
Reporter	TeamDreier
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/455951/

Detection(s):

SecuriteInfo.com.FileRepMalware.4650.23893.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65379d25c2a76fbfed333eed/reports/ebd94251-3279-484f-a008-8138a3cb0d84/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb9439d0-618c-42c2-9398-eb83065f8a66

Result

Threat name:

FormBook, NSISDropper

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1331198

Signature

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Yara detected FormBook

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-10-24 02:20:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4a6vmbliad7i332kzeg4mbt5mvnkqu7yun6x754plevztkb5dzpa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231024-mky3lsea73/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e

MD5 hash:

0d7cc3fef48ab286b36f7b405128eb2c

SHA1 hash:

67c77bde645eae0c72d6462c5e9e6ce6b32759f7

Link:

https://www.unpac.me/results/bf7a28b8-f2e0-404d-9e7a-80b4c508ffa1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e03d56056800/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe e03d56056800fe8def4ac90dc6067d655aa853f8a37d7ff78f592b99a83d1e5e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/455951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample