MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842
SHA3-384 hash: 26adb317028bc6b3bab06104e9ca45f623ed10796acf08dbcb78266f317c8ccb234db68a30548333b38aa877a0dd88e2
SHA1 hash: 5548c8fe4eddf15bc2df7eeafa67a1ad04c9a187
MD5 hash: e54629bc607849f6eb37798867fd9030
humanhash: pasta-zebra-social-magnesium
File name:e54629bc607849f6eb37798867fd9030
Download: download sample
Signature Formbook
Create hunting rule
File size:244'699 bytes
First seen:2022-04-01 14:39:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmKTrzpiSpTq7tgdxhfYoSIg/9hq0ukZVVbAkUTFo:HNlwrzpiiTq74xdYcg/90jk1bAkCo
Threatray 14'620 similar samples on MalwareBazaar
TLSH T18B3413522BB4C4A1D8E311311F36A7B6DBFE861059EC4B5B3B515BDC34223928F0E75A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.13829.501.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Searching for the window
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12345/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62470ec61f20423948655f95/reports/7f94b315-9453-4cfd-8a25-059b3c90d5a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddcb062f-588e-40a3-975e-5c086110f850
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/969087
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-04-01 14:40:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=75hxwu4tfbv6lywjis5prq4esr4wvafbzo4dhpr6v5ith3gfdbba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
38444024682d6ea391135d374ecd6f457bb01df512801e25fcbd2931afe58d92
Formbook
3a00a090c263abb496651ab7cc34306e224c62b14c3a8b85fe56d30c51af1bb2
Formbook
69785e004f3bf684c91c8f188058022933f954154f42d4dc41047be3713397ea
Formbook
75362f20dab8d57db3ade6427e647b0bc01d8345ccfa9781d5778877f04f7fb5
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
ea816c6cab43420b789f780a35e40db03db4c63769122cc2ae2bd3955f6f9938
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 14'610 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:xc52 loader rat suricata
Link:
https://tria.ge/reports/220401-r1vscahbcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
f12a33f8d090625ae066b3bbe95f94e0e646c3b65f28e5caf4d781468e58e099
MD5 hash:
e8eabf6ad0a7c67695c986ee77add6cf
SHA1 hash:
ae30a84cf59f16deef7e2e2b5352ee0afaf75389
Link:
https://www.unpac.me/results/c388964b-2f87-4032-93d7-7d5d8b3f4751/
SH256 hash:
7d4204143a80011c450f7df43258915554698d9e07f76762a134814ce11fe2e3
MD5 hash:
246e49609e933a155f99faa5d83a85df
SHA1 hash:
aea747867cc04daa6d3935a0175883c65671d0ea
Link:
https://www.unpac.me/results/c388964b-2f87-4032-93d7-7d5d8b3f4751/
SH256 hash:
28e384122142131d59cf40d38fefe1439a0783ac1c3ea0351a46ddcbffabb8af
MD5 hash:
221bd0ac6c0ce38190aa3fef9cdf2858
SHA1 hash:
8b28f71b63649f1ae10900978315bed2c5fb9425
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c388964b-2f87-4032-93d7-7d5d8b3f4751/
Parent samples :
3a00a090c263abb496651ab7cc34306e224c62b14c3a8b85fe56d30c51af1bb2
ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842
841c900cb4b5f163f77a80953d1dfc4d3f97125be41ad23ac4674b11f1f533e6
5c6229c4315a736e487b6eae35dd91d600316c8f00ccbbf38f992c6edc9cffd0
SH256 hash:
ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842
MD5 hash:
e54629bc607849f6eb37798867fd9030
SHA1 hash:
5548c8fe4eddf15bc2df7eeafa67a1ad04c9a187
Link:
https://www.unpac.me/results/c388964b-2f87-4032-93d7-7d5d8b3f4751/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff4f7b539328/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ff4f7b5393286be5e2c944baf8c38494796a80a1cbb833be3eaf5133ecc51842

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2127065/

Comments


Avatar
zbet commented on 2022-04-01 14:39:51 UTC

url : hxxp://84.38.130.146/711/vbc.exe