MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7
SHA3-384 hash:	056a098781430022b46d292033e59cd5194fb9780b6e5eb9dec590612a43978adec85ecb9984ae659999d7b07cbfb7f0
SHA1 hash:	4425d397031ce6d17296140b3c1b10501bcf4b3b
MD5 hash:	075d6e4f8a84d88bec79195d2f43b272
humanhash:	tango-violet-kentucky-uniform
File name:	fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7
Download:	download sample
Signature	Formbook Create hunting rule
File size:	388'956 bytes
First seen:	2023-10-12 10:46:46 UTC
Last seen:	2023-10-12 11:53:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep	6144:BnPdudwDsinYtuX902mOeqdUo1UBJ9lWC6MPrlRO69bHDAVt2RxJqJttehlvNhzN:BnPdwGTXW20qdIJ98uloMHDg2NQm3Nh5
TLSH	T13184234517B5C563E1D70631BE6FE06F9AF8C81640DC1B0A4B856B3B7829A92CF2F852
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7

Verdict:

Malicious activity

Analysis date:

2023-10-12 10:47:20 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/662705c9-4e5b-4cb7-966b-e1f78031aced

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453761/

Detection(s):

SecuriteInfo.com.Trojan.Loader.1550.25762.15643.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control formbook installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6527cea8853e4f06480a8502/reports/91632a11-a889-401e-852f-383f977ad53e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6719256-bec3-4d76-8a9e-87487290e770

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2023-09-27 22:37:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7yidoc4e73wzzxzcfimqaws7es277jrokwnmvn73yagnwoymtotq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231012-mvjqnsga27/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

f67a81f108069a51346dd3a0ac9d5d2daeeed055e26f7f3c604221f72647fb57

MD5 hash:

9ee7edc0225b1b7732ccf1c7c0ee3cc1

SHA1 hash:

3189b31958530dbbb35f9896cf5230b29015b858

Link:

https://www.unpac.me/results/0e76bac8-083a-40d2-a133-da1c654bd11c/

SH256 hash:

fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7

MD5 hash:

075d6e4f8a84d88bec79195d2f43b272

SHA1 hash:

4425d397031ce6d17296140b3c1b10501bcf4b3b

Link:

https://www.unpac.me/results/0e76bac8-083a-40d2-a133-da1c654bd11c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fe10370b84fe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe10370b84feed9cdf222a19005a5f24b5ffa62e559acab7fbc00cdb3b0c9ba7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453761/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required