MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945
SHA3-384 hash:	229084edb1bfb87d14f64f46b0f7af2deb449b6154ea79219a61ee7ac774dc3d6da97b15b1835262df0a9f40d0d11517
SHA1 hash:	6e022db1a83984e4f02744834bfbe4ac6b03117c
MD5 hash:	f19ee52e8d1b10d2b91d24662fa56a2f
humanhash:	montana-louisiana-bulldog-sierra
File name:	Pago en su nombre.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	29'696 bytes
First seen:	2022-02-11 18:09:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:/eSu2DmOVI+wVMtB2Q1ddddddVDh9diF5tzQT:m2SGB2Q1ddddddVDh9diF5tzQT
Threatray	9'410 similar samples on MalwareBazaar
TLSH	T113D24A0FEFCC7367CA6D403644043A3117F0E97DEE169B598484FA3DBEAB3566A81614
File icon (PE):
dhash icon	3269cc963333b2cc (1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/240976/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6206a68245ddfa2e18c06650/reports/000e2382-dfcf-41eb-8471-4e0b0e0b0a01/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c4506734-e821-41f5-b91d-b82b3de69ad8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-02-11 18:10:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7jh6kk3a3hnivzzv7zp7aqiuvpizi5kpzvgkstafldfh62r3hfcq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4bc96a8bb1739c227e539a7aa4156cb6c1023a254e2660135351edbe9a7db8e2

Formbook

727d99fbf5a7d58b50ea62f289cf59b251ffe3e6f5d9487f7716127654e6e32a

Formbook

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

Formbook

7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c

Formbook

b52df691d7fb9b73288ec52b8c8b3f3dc70e262ff8af122f275ac93300aede07

Formbook

d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb

Formbook

e8e0f125d909bafae93f469222f2cfbcb30585e03825d8442c8934a92fdd6c89

Formbook

f61f02c5be2ef5988f474ffc148b099942ab8582cd4aac8b3c991436f6230592

Formbook

ff3f7736a06e89ae300270369d83b922423c8a840903b30a8a21365c4b0b0628

Formbook

+ 9'400 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:by78 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220211-wr4fcaefak/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945

MD5 hash:

f19ee52e8d1b10d2b91d24662fa56a2f

SHA1 hash:

6e022db1a83984e4f02744834bfbe4ac6b03117c

Link:

https://www.unpac.me/results/5750846d-f752-4f9c-b817-ea6177035989/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/240976/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample