MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0
SHA3-384 hash:	87ec09feef64c53feb56838dc0ac4d0ffb127dfb65666f243c59475b7f4ae4862e1e8862cc760a0c483a99d53ddf5b45
SHA1 hash:	011bc4097190adcaa3902842bbffd9ab582be832
MD5 hash:	d60289c2fddd1b5e32e83e653ef587cc
humanhash:	blossom-hydrogen-utah-lamp
File name:	Nuevo orden e imagen.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	344'576 bytes
First seen:	2021-09-30 05:38:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ca5041463b2dd933d009ca1aebe1423c (5 x RaccoonStealer, 2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep	6144:yAX7w1gRuHX4Ano8Vgvobo26cyGGgPUcPI15Ve5R+:NagRuHX4t8Vgvob5BI15VeW
Threatray	8'302 similar samples on MalwareBazaar
TLSH	T1F574D001A161C9F2E7254A3358D2CAA4D53E7C5DFF2856BB2F9029DEDF3A291C523306
File icon (PE):
dhash icon	0630f0b4b4b0308e (1 x Formbook)
Reporter	abuse_ch
Tags:	ESP exe FormBook geo

Intelligence

File Origin

# of uploads :

1

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Nuevo orden e imagen.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-30 05:41:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/db056e88-7b41-4f71-b761-beab0ea4877e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/193328/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37688685.29327.16213.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cca80332-da9b-44cc-8186-8be619314dee

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/861544

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-29 18:41:55 UTC

AV detection:

21 of 44 (47.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=47kld64nm2hawamuhzrqet3fqcog6hxhh26mrkljs4fcse4nqwya._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

1d03cbad439f831d0cdd34e444ef7d054fc46370025a2ee70a29abc50a178cd4

40877c93388c9ea545a95760ecd8fe9f7e9909b4cb96a906a3ab90408cf6c6cf

85e45fbdd69f39214a4e3f588d14b1be4a7d81f4503813e1ab834c3525e568a8

97d4de7a9478320c718f18c0f57349cfc611f5dee0aab5271304e4670e63d2a8

b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc

bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9

cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

cc0c4f8f34907be8839ae185fa40e5d7ad5279b70067a3279501d18483b590a7

dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c

+ 8'292 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:dn7r rat spyware stealer trojan

Link:

https://tria.ge/reports/210930-gca3xsgfdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Formbook Payload

Formbook

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://www.yourherogarden.net/dn7r/

Unpacked files

SH256 hash:

e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0

MD5 hash:

d60289c2fddd1b5e32e83e653ef587cc

SHA1 hash:

011bc4097190adcaa3902842bbffd9ab582be832

Link:

https://www.unpac.me/results/f5f4f0c5-02fc-40b5-bcf9-49729eb81808/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/193328/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample