MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b
SHA3-384 hash:	6cd78181eece64a1adc4b69481de8326fee5474c8e0b6b63c3dd64107c7468e9596bda885f68115b1e06b2c156b7e2aa
SHA1 hash:	dcb886d4a4177c5af4a57137cd78e458ae0c5083
MD5 hash:	18653ba7baa00d4eae7f02368a3b5bc2
humanhash:	violet-carbon-pluto-romeo
File name:	SecuriteInfo.com.Win32.SpywareX-gen.8314.32073
Download:	download sample
Signature	Formbook Create hunting rule
File size:	290'816 bytes
First seen:	2025-02-06 13:37:19 UTC
Last seen:	2025-02-14 10:59:00 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:aMi1gkMYPj2ts4lXIrxUQFWDRo4n3nmHfS6vJWa9aIer+tGE:aLOkM2P4lXIrJB4nXmZJWaYpZ
TLSH	T1CE541242235991F0C49F827D2EEF610A045D3FA5BE296BB5EF286C48017DC9CC9717EA
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.3% (.ICL) Windows Icons Library (generic) (2059/9) 16.1% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	196-251-92-64 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

455

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.SpywareX-gen.8314.32073

Verdict:

No threats detected

Analysis date:

2025-02-06 13:44:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e99f3c3e-c370-44b9-b22d-64a691fd3dc0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.SpywareX-gen.8314.32073.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a4bc992dcee78dd819c569

Tags:

injection virus zpack

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypt microsoft_visual_cc obfuscated overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67a4bb4b4293ba5ea47d7b36/reports/3e3d101c-7004-4aed-97ef-64949d72ce56/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa25e52d-e320-4d33-b0f4-7aac38b4dff0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1608380

Signature

Antivirus / Scanner detection for submitted sample

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-02-06 10:36:11 UTC

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=626gdgzwx4b5lohrqpl6b4hd6fqk7n2vuputhzn6jlxbfslaozvq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250206-qxf94swnbx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f0a898b1-690b-4ef6-9882-40372712bda3

Unpacked files

SH256 hash:

f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

MD5 hash:

18653ba7baa00d4eae7f02368a3b5bc2

SHA1 hash:

dcb886d4a4177c5af4a57137cd78e458ae0c5083

Link:

https://www.unpac.me/results/5fe569eb-23f3-4f5f-bf30-552b93eb081a/

SH256 hash:

ba4c85d3e28dedf71e5160ee71789c7c0b51200afb04c5b2b9d988b2e46459fb

MD5 hash:

30fca4f059a2ea492f361af1f09ca826

SHA1 hash:

a60144dc18383f208c0560815ab4119b68212c45

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/5fe569eb-23f3-4f5f-bf30-552b93eb081a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f6bc619b36bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3429873/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample