MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a
SHA3-384 hash: 8688ac134888f9c5ab8d841230bf90f8e693081bf29626b24365e50c67e5d7d0fb66eedfd13184662420db542672667a
SHA1 hash: 8d27ee25b4ecec41a89a84dfc01965d4b0cd38d7
MD5 hash: 964873405cd08188addb3258d9da28bc
humanhash: cup-artist-fanta-bulldog
File name:Re Teklif Siparişlerini Onayla - E1105,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:533'975 bytes
First seen:2022-02-23 12:03:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:kxDy4sYGXWwpKgn3hFuqQCdRJ1fHvL9HNnBmVl3WnjRr:IGXWwpKuFui3JxDvOWnjRr
Threatray 16'313 similar samples on MalwareBazaar
TLSH T197B44BC1D6883CF5F81917724D36AD222157BE7CA9B4542E695EB42A5BF328330F2C1B
File icon (PE):PE icon
dhash icon 1f1c4bca1b2d1f1b (3 x SnakeKeylogger, 2 x Formbook, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243680/
Detection(s):
Win.Malware.Fragtor-9939961-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621622b9a2660f3bb92f5a3e/reports/8859d03d-94c7-46fb-986f-fb23365c7591/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07611b12-919f-4146-8fa0-07120381afcb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944707
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577182 Sample: Re Teklif Sipari#U015flerin... Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 6 other signatures 2->49 11 Re Teklif Sipari#U015flerini Onayla - E1105,pdf.exe 18 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\bwbyo.exe, PE32 11->33 dropped 14 bwbyo.exe 11->14         started        process5 signatures6 57 Tries to detect virtualization through RDTSC time measurements 14->57 17 bwbyo.exe 14->17         started        process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 process10 22 svchost.exe 20->22         started        25 autochk.exe 20->25         started        signatures11 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 27 cmd.exe 1 22->27         started        29 explorer.exe 2 159 22->29         started        process12 process13 31 conhost.exe 27->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 12:04:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bftmkqqzzvdkxr5jdtaf5tsifvm3wvqdffr3qh7viasco7sruva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02770b935248ab8dc915413f9d9fc3090749bda9ed3185df7a8c253a76f8253f
Formbook
06e3d4748368b69a7e5884837136e387db1d754cb4610e0348c8f09a09f7039d
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
2edfa5f806d554457c20a6d48a519f96f8da0bf6d53e54556be1bffecbbb9710
Formbook
41de1c603509906c3ddcb2550617c980ba3dd192048a52b449e3894d94e1bad5
Formbook
5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
Formbook
59139210e96ea7a1ca64dbb343b225be422bc0d3c66a673959b3e8e076bceea7
Formbook
778b43e9a8b8350b3940a9f59684f454e5a1761eaa38198430af89b968a2ce35
Formbook
eae07efa1c1d3cf15b86b7d83258a0ec3bad96ec1bbdf0791b0b984a835387e2
Formbook
+ 16'303 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220223-n8lmvshhh9/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
cb1394d16894be7b9488b629afb19674f84d216c1117e68975f94452dbaec74c
MD5 hash:
9e3cfde2483b22fc8fd53bf100daa9b8
SHA1 hash:
5234960821495aec0a74dc440568366b8d9c225e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/66e4555c-1f3d-49b6-a0f4-afe5c7a88e52/
Parent samples :
5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
f477ff9ff2a431f168d2defd7c9b62ae9f0648488e9977479e407468d5cdce1e
a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa
f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a
SH256 hash:
389e0d9081335f9588fe7b116fe98d5a7ee8a0b51855faa85eda7d07e58aa0ed
MD5 hash:
e26e2015dce280faaa5840d54ed59e77
SHA1 hash:
f86cb579268a7b7dfa3dcc301231ded8423986c8
Link:
https://www.unpac.me/results/66e4555c-1f3d-49b6-a0f4-afe5c7a88e52/
SH256 hash:
f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a
MD5 hash:
964873405cd08188addb3258d9da28bc
SHA1 hash:
8d27ee25b4ecec41a89a84dfc01965d4b0cd38d7
Link:
https://www.unpac.me/results/66e4555c-1f3d-49b6-a0f4-afe5c7a88e52/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f84b362a10ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243680/

Comments