MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55
SHA3-384 hash:	f5fb221fada8a98dea6dd6de8e9db766d800447f0f6435821d72789b2b400b649e3ef690bff28a3c57adf2368ab79c89
SHA1 hash:	edef6e678a75bd9e578194d481ef62e2b7d66806
MD5 hash:	92059948d7c9d55b9a93939f577212e4
humanhash:	connecticut-quebec-eight-fix
File name:	Neue Bestellung 000345.scr
Download:	download sample
Signature	Formbook Create hunting rule
File size:	394'240 bytes
First seen:	2021-10-02 06:55:58 UTC
Last seen:	2021-10-02 08:27:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5ec7f7aedfe92c1b2393798c6fa1e0e0 (9 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	6144:5N1wylcPCd3l1J+bFBuLeeYx38wPJCJnxExpqJL6siOOhxxdeTr/ekI:hLWCRUBTJx8EyL6sYzxd6L
Threatray	8'338 similar samples on MalwareBazaar
TLSH	T1D284DF096682CFF2D67106B1AB07C7E4053D7D6D5D2A720E3B98729E7E3D392D932206
File icon (PE):
dhash icon	aeb198fa9adad898 (1 x Formbook)
Reporter	abuse_ch
Tags:	DEU exe FormBook geo scr

Intelligence

File Origin

# of uploads :

2

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Neue Bestellung 000345.scr

Verdict:

Suspicious activity

Analysis date:

2021-10-02 06:57:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0c683abf-ab03-4301-ac97-9bd5544f0af2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194126/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.47088198.9732.4515.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b284536-27b9-4e55-a3e8-7e4ceb845c1f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/863097

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-10-01 08:31:29 UTC

AV detection:

19 of 45 (42.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6i5nmew7lmsyctkujc7jkbn4o24loy672yrongsjcvzw7llntvkq._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7

218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321

43b700fc142394fc70144cda363405f0bb42fd717a4321ac7e4440836457d5fd

5f037c930f37e4307f4582f99aab214301591f3b87e9a0500cc3c7130fa209b1

85e45fbdd69f39214a4e3f588d14b1be4a7d81f4503813e1ab834c3525e568a8

9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095

bbedcbe77cff074e73d9265b5cd4dfaba57b573065b1cb36e7944880a54239e9

cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

e7d4b1fb8d668e0b01943e63024f65809c6f1ee73ebcc8a969970a29138d85b0

+ 8'328 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:dn7r rat spyware stealer trojan

Link:

https://tria.ge/reports/211002-hqdlmseacp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Formbook Payload

Formbook

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://www.yourherogarden.net/dn7r/

Unpacked files

SH256 hash:

f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55

MD5 hash:

92059948d7c9d55b9a93939f577212e4

SHA1 hash:

edef6e678a75bd9e578194d481ef62e2b7d66806

Link:

https://www.unpac.me/results/3627bd07-087e-4175-b694-1492f53f7780/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f23ad612df5b25814d5448be9505bc76b8b763dfd622e69a4915736fad6d9d55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/194126/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample