MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2
SHA3-384 hash: ee6f2fa7d12cbbea6391ca211edcacc9685e4aa181cd43b7b9b1e5b97e1a5bb3d21b9c36c3ca94ffbfb0893027c85169
SHA1 hash: 4c936926cf1781d0fc5ea3500de8123092a07ed9
MD5 hash: d1787eb80a40cfecb8027355bb60c970
humanhash: princess-shade-twenty-spaghetti
File name:file.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:496'144 bytes
First seen:2023-07-03 08:00:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:RRj+Vc/ZdXbemYiMJs99fSVW2nEK+Qh2GEfhyeq:7+VcxdXimos99fSVTPNEpu
Threatray 40 similar samples on MalwareBazaar
TLSH T14BB4E1789B98CED1D3DF613A90FAEF2D2AB0447F150B9B61AE4095F10DD62805E063DB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 08:00:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce47a969-7260-4df0-abef-a6f984ea1da4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/405737/
Detection(s):
Win.Packed.Formbook-9980347-1
Create hunting rule

Win.Packed.Cerbu-9993871-0
Create hunting rule

Win.Dropper.Formbook-9993903-0
Create hunting rule

Win.Packed.Generic-6680913-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmstp koivm lolbin overlay packed packed
Link:
https://www.filescan.io/uploads/64a2804151710bcd8d43ee20/reports/eb85689f-0a91-4de8-a706-d3e997da9c1c/overview
Verdict:
Malicious
Labled as:
Trojan.E1CAE469
Link:
https://www.hybrid-analysis.com/sample/f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7feeb3c9-256f-4d9c-afc4-c6950416a699
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1265618
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2/
Threat name:
ByteCode-MSIL.Trojan.Dotrunpex
Create hunting rule
Status:
Malicious
First seen:
2023-07-03 08:01:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gpr325l6nadhbqh7elkmstyhykk7rwt5zffvm4quag4h4z7gdja._file
Verdict:
malicious
Similar samples:
0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
Formbook
0b187246743429e8b9e67b2041bccbd24875a9c39f903e6533db5e7a176c9417
Formbook
3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d
Formbook
4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6
Formbook
5e273d27c320b4ba9da91dedaa66ba91cb6ac05fa2195096a2b85e9954e981c0
Formbook
670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09
Formbook
71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab
Formbook
d73dbd022ae04284c10281b7aad42b0b80d45deec6beee79858e635a43627f65
Formbook
ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08
Formbook
e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f
Formbook
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230703-jwjwaagg3y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2
MD5 hash:
d1787eb80a40cfecb8027355bb60c970
SHA1 hash:
4c936926cf1781d0fc5ea3500de8123092a07ed9
Link:
https://www.unpac.me/results/1237df38-1f19-47b5-a40d-76af8d178610/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/405737/

Comments