MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 17


Intelligence 17 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
SHA3-384 hash: e0cae5d201d213730c32d83e4ceb19ce2d104f6f20d4cfc9b5c337134366cfe192d963380edbff7b835bfd9a7e419ee0
SHA1 hash: 28aac545fcd0c9b11d2546110966b812d1c6d920
MD5 hash: f6e047942236cefdcd6559bca66a7b3e
humanhash: hydrogen-dakota-table-pennsylvania
File name:fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
Download: download sample
Signature FormBook
Create hunting rule
File size:1'627'744 bytes
First seen:2024-10-09 10:31:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22a65106d3d84ea74d966fa0424a5a0c (8 x Formbook, 2 x AsyncRAT, 1 x AgentTesla)
ssdeep 49152:WAodtaG9kS2U84B+FLan9k5TRM9zlCVjkvr:K/B1Jz
Threatray 3'588 similar samples on MalwareBazaar
TLSH T1D375BF19E3A811FCD52BC634CA55A233E6B174560B21A4CF1B99C7452FB3EE26B7B301
TrID 47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
35.2% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-09-24T06:07:22Z
Valid to:2025-09-24T06:07:22Z
Serial number: 7e3f87eb2fc12cdcddcce4a1ae9d2dca
Thumbprint Algorithm:SHA256
Thumbprint: 600744d0ff24705e75c13bb64d916b2a929e430747c684d8854ad8e6ccda519b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
Verdict:
Malicious activity
Analysis date:
2024-10-09 10:28:02 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/07429a11-57d5-4ef8-aa6c-5cdd46a1cc47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67065ba7f936b5621b0bc0a4
Tags:
Powershell Exploit Trojan Sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc overlay packed regedit shell32 signed
Link:
https://www.filescan.io/uploads/67065ba34f53598f1493911a/reports/4627f168-3e76-41e2-9674-c54af42bf222/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ba4f4786-1591-443f-afa1-81885b2743ed
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529801
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529801 Sample: Iifpj4i2kC.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 34 www.zbbnp.xyz 2->34 36 www.a1b5v.xyz 2->36 38 17 other IPs or domains 2->38 44 Multi AV Scanner detection for domain / URL 2->44 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 52 5 other signatures 2->52 11 Iifpj4i2kC.exe 1 2->11         started        signatures3 50 Performs DNS queries to domains with low reputation 36->50 process4 signatures5 56 Writes to foreign memory regions 11->56 58 Allocates memory in foreign processes 11->58 60 Sample uses process hollowing technique 11->60 62 Injects a PE file into a foreign processes 11->62 14 csc.exe 11->14         started        17 conhost.exe 11->17         started        19 svchost.exe 11->19         started        21 cmd.exe 11->21         started        process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 78 3 other signatures 14->78 23 explorer.exe 58 1 14->23 injected process8 dnsIp9 40 cbmsource-web-5091.rejcdn.com 104.18.14.105, 49988, 80 CLOUDFLARENETUS United States 23->40 42 www.wshifen.com 103.235.47.188, 49900, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 23->42 54 System process connects to network (likely due to code injection or exploit) 23->54 27 wlanext.exe 23->27         started        signatures10 process11 signatures12 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 70 Switches to a custom stack to bypass stack traces 27->70 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0/
Threat name:
Win64.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-09-29 01:05:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wbiyu2lbzwosrqzemi53h5nvwmoql6msh7b6o633rssztb7ypia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
219a330b7ae9807411d289f28169861fc748f50212ae2317278bfe155d89990f
FormBook
2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1
FormBook
32a211990a974cc2acdd1b3814a2f0ace854025a41f56c6fae00c75d334fbec9
FormBook
6f4ef07076ebad36eea92eeaeb42b91bdf910d4e93bc0bf6b4fc40e6d191ed83
FormBook
eaffc7cc6da06f5894642bb88fff4a0186cf61100558af3cb552145f86d8e041
FormBook
error
FormBook
fcf632af143e88dfba5e9256d0fb238eb314b0d20e63141cb659ed7ad001cbb4
FormBook
+ 3'578 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:md02 discovery persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/241009-mkyf3svaqd/
Behaviour
Modifies Internet Explorer settings
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Adds policy Run key to start application
Formbook payload
Formbook
Verdict:
Malicious
Tags:
formbook
YARA:
n/a
Link:
https://app.threat.zone/submission/2910117a-0408-45f3-9a32-97ed3996fa52
Unpacked files
SH256 hash:
fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
MD5 hash:
f6e047942236cefdcd6559bca66a7b3e
SHA1 hash:
28aac545fcd0c9b11d2546110966b812d1c6d920
Link:
https://www.unpac.me/results/6d4bb5f4-5d02-430e-ab45-b75938b3a5cd/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd828c534b0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolIo
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments