MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729
SHA3-384 hash:	df312b572f868e0b35eb59f92ac10c7801ad1ae8594fd7909d5d322db08544eddafc28d2912e077139c385a7ac10132e
SHA1 hash:	32c48774e472eb67925f1db6bcc0b446c84c2676
MD5 hash:	50d1fc0f3ac939a140750b5b09e8267e
humanhash:	west-social-nevada-river
File name:	210293873747736464664GEH746464.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	664'804 bytes
First seen:	2021-11-12 19:17:33 UTC
Last seen:	2021-11-15 13:26:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:uGi+jKtY1GhFHCEmqnZvSwCfzqkCkY5MuooUrQ/WlMi//YM:etYghFHChqnEwMmk9Y6u3t/ooM
Threatray	11'181 similar samples on MalwareBazaar
TLSH	T177E4ADC39AD025A5EE990F3101326C785337FF5ABCBDF5CCAE49B51217372C28266926
File icon (PE):
dhash icon	000240035b4c0248 (10 x Formbook)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/205363/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.17473.15370.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/618ebded3edf00a722d0c222/reports/49a16772-7255-4efa-a11a-9c7db9e38974/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc0cac14-2dad-453e-8f72-73ee80dcd377

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/888351

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-11-12 18:37:19 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dhdvfs7gsoznbrcarqpdyzogcmtkkmqw52veh45xdsfoivdq4uq._file

Verdict:

malicious

Label(s):

formbook

Formbook

418718725035504832c3febfb2372a9a5bb117d9811dcc67d1f290f8dd9900f4

Formbook

5e529cbb901aced8a6af49250afd3d67e059d717d7ecf3edc32e18a9d549361c

Formbook

a26563b8bb82e71f54068820dd88b7de84199111b66e33af94c09e2344d9db74

Formbook

be61aba2c5d56a20b50c5f4a682087840876fdf7504fbf5eb8ac56a0e572fb33

Formbook

dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c

Formbook

f6c1dc28509953d4c7df0cd272714f2ba3de92f85b2ba90d071710580f1df635

Formbook

+ 11'171 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ob7y rat spyware stealer trojan

Link:

https://tria.ge/reports/211112-xzyeqseah5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.metanewsroom.net/ob7y/

Unpacked files

SH256 hash:

f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729

MD5 hash:

50d1fc0f3ac939a140750b5b09e8267e

SHA1 hash:

32c48774e472eb67925f1db6bcc0b446c84c2676

Link:

https://www.unpac.me/results/aac27c45-636f-475b-b43a-a9e79771fb4b/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f0ce3a965f34/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/205363/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample