MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532
SHA3-384 hash: 18b21416d8e7e27459b68e29623a1b97412e816d46339c17b142a160ca29c60e2e4156311cc67690185fa3fe41b9010a
SHA1 hash: d8f26c60fc804d46482850f3daf6466372798237
MD5 hash: 6b76b31674beb7e8aa442834dacd9b8f
humanhash: ten-pluto-yellow-ohio
File name:6b76b31674beb7e8aa442834dacd9b8f
Download: download sample
Signature Formbook
Create hunting rule
File size:568'832 bytes
First seen:2021-11-09 12:57:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'456 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Zhf3doyED1TKXK7My0AXcD7BvChdWsEk9KD1:TNoys1uG0+ss5i1
Threatray 11'234 similar samples on MalwareBazaar
TLSH T1ADC4AF52691467F2C0D18BBFBF63737087749D861C1FCB2606A8F36C497AAE09E1B446
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204496/
Detection(s):
SecuriteInfo.com.Variant.Bulz.903852.31825.13566.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618a7062175442ca93a919a1/reports/cf73fd29-f2bf-4fa8-8918-85b6f2b84f54/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38730cf6-45ea-46fc-9b89-10da18c33534
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885990
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 19:39:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5beadd0ecc9f1407dab89746630fddf7362dd00323e6a5e5413a0c286e2ee583
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae
Formbook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
Formbook
9f59a9c7a38d8031c5b0829da6c4c10951b1de67adada4f567449d4b6ea8d83c
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
+ 11'224 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nqm8 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211109-p7hegscdan/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.mmsite.site/nqm8/
Unpacked files
SH256 hash:
a9a7faeb7d569598c75f663797622a5486f313dd52b1fa0f530aaad354c49574
MD5 hash:
9f0072037109bbbab69a4994a5ddc493
SHA1 hash:
65ba062434fbd0511f885251fef155bc2dd4e1ee
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/52e606b9-1c3c-4cad-9974-37de4a9ea6ec/
Parent samples :
02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532
79b330be28c56e7a86067b9c5300213b939a5f2f6e323e5cf76f8b1c42afe9c5
7930bf3f1be9acdf429e2433aa7d0c36985d9a97e580571fee1ffe8cbc0d8f5a
71b4619d3dd4bb8e3619a2ebfe39f71c728d0d723992e44c8564dab8e8035b28
e4b24664fbf0d04e761c36b6dcfb06c1f301b81a5f4c7c4696b2db972f20708a
SH256 hash:
110a28b39b1e0840684110fa77a580effce50755cb865ce9df566f1fff308d05
MD5 hash:
17d644e87b9923fb2a0ed51e7594d82f
SHA1 hash:
863600e4908ebd4ed26285e210d983d04399e600
Link:
https://www.unpac.me/results/52e606b9-1c3c-4cad-9974-37de4a9ea6ec/
SH256 hash:
744a5b8e44b0fd5ccdd121b8219e4c67ac104cc5e0ee7973189b7cd779316981
MD5 hash:
9d2a4c59b5457fa888b3608ba28ea03e
SHA1 hash:
8170ce1474b155541d61c3a97e5c5d2e0268ee77
Link:
https://www.unpac.me/results/52e606b9-1c3c-4cad-9974-37de4a9ea6ec/
SH256 hash:
02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532
MD5 hash:
6b76b31674beb7e8aa442834dacd9b8f
SHA1 hash:
d8f26c60fc804d46482850f3daf6466372798237
Link:
https://www.unpac.me/results/52e606b9-1c3c-4cad-9974-37de4a9ea6ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 02a852aaa839120b0e557629b63a754cb302ebe2f11275d3e4fb68f4f1e70532

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1769322/
Cape
Cape
https://www.capesandbox.com/analysis/204496/

Comments


Avatar
zbet commented on 2021-11-09 12:57:52 UTC

url : hxxp://f0597568.xsph.ru/cf.exe