MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
SHA3-384 hash: ba3c3df55ef3b3057a877bbef1f8e5d8e6ceea8aedf57ff41508407e5be7f76546fd756a6750ddb7756b346eb8c9e3ef
SHA1 hash: 6075931dff599686036726105f1dd6a5d8eec966
MD5 hash: 7f0278286e42d3cef1739db8d7865e87
humanhash: ack-stairway-cola-avocado
File name:7f0278286e42d3cef1739db8d7865e87
Download: download sample
Signature Formbook
Create hunting rule
File size:276'643 bytes
First seen:2022-02-08 19:53:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:ow3n2KQFDQNDxJ7Neb8mYVBG0MGZ8aM5xjPC4oPiSd8FWi:bn2QBxJ7NeFKBP8aoJ7oP188i
Threatray 13'522 similar samples on MalwareBazaar
TLSH T10844124D39E9CCEBD49349B045B7536ADBFBAA131618104F5F390DBE39290D2BA27242
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ENQ ORDER-_213-818R3.xlsx
Verdict:
Malicious activity
Analysis date:
2022-02-08 19:39:56 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/c401d101-4d8f-4a24-a714-3fa35f070085

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/238660/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6202cac8845a69d7734ee0d6/reports/9a226bbd-ae65-4a58-a3f4-6c9beb715ec6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea00a3cf-4d5d-4364-8594-41dff16804dd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936385
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 19:54:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6ad1733c8b7f2d689659dac3231330133c262b9448d609fd47cca16ddc255e37
Formbook
6f2d71733b4bcab1a04a40168f2900963a9f65c0081a6f1d1832d18b6bae16bb
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
c026113c33af8599afd82bb769c25eea7ac5f1212576c4306347a54a8fd5ed1b
Formbook
d0ce91945a10abde8e7569759e78430c80fb8fa42589dfaccf565cf6895f8846
Formbook
d5f77ba2b2ad58cfad5ae3111994ad0f889967e6d4f67ecb9cedf1b8f10a6149
Formbook
f61f02c5be2ef5988f474ffc148b099942ab8582cd4aac8b3c991436f6230592
Formbook
+ 13'512 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:by73 rat spyware stealer trojan
Link:
https://tria.ge/reports/220208-ymjw9aead6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Unpacked files
SH256 hash:
18bc0575a86ba5283fb41bbe8a79d5adfe9742103e0dc78b0eaff0fd142363c5
MD5 hash:
234a91530e65a22e89df526f623bf47f
SHA1 hash:
2fa9afb2d17692097bbeb8a071e3686f5868c1a9
Link:
https://www.unpac.me/results/9e07a764-c9b0-482a-9d8d-d254acb60fec/
SH256 hash:
fcaa4745a6e0e18276b4755fe192422558fd825f6d8e4dfaa4410e0fce5eb2e5
MD5 hash:
b3006620df07af3e924ae803931bd0a9
SHA1 hash:
660288cb2297baf9c537e440e8bff3bd80277e2e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9e07a764-c9b0-482a-9d8d-d254acb60fec/
Parent samples :
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
9bece1a915a3849979795cea77094ccf1c1bc8d93b33ef05a84c8d56988c2816
a83afdd193623f46ac870f04455f2176d64466c5e2d3cd92eda0498de29f0417
7e63ecb107ecbb32d253e5c84cf5a964f82880cfde059f8d6b11cf89d6921687
0736da1f42878cc4630f0b855fb638e76989fc53513fac93061cfdd49f9c94cf
1363922a984440ab7ffb7f1f4872704bc6a96008412d399728b20cc8cb1e4abb
45a19ea1dcf965e6baa12c63ab7be3bf7c550a7573f40a7af04698d56af7a706
SH256 hash:
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
MD5 hash:
7f0278286e42d3cef1739db8d7865e87
SHA1 hash:
6075931dff599686036726105f1dd6a5d8eec966
Link:
https://www.unpac.me/results/9e07a764-c9b0-482a-9d8d-d254acb60fec/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f556af7cd24c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/238660/
  
URLhaus
https://urlhaus.abuse.ch/url/2037362/

Comments


Avatar
zbet commented on 2022-02-08 19:53:39 UTC

url : hxxp://107.174.138.158/355/vbc.exe