MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
SHA3-384 hash: e6f9735e2ac11d99662b7978c270ec273133532adff12c2a472c6e54765c3ef371e782a48c653892a60488a67d82f8a5
SHA1 hash: 63e74fa4f23e99abd88ffd250c850636a0138e8f
MD5 hash: 1d41e32ebf12225fb2895aced3d60e9b
humanhash: low-magazine-twelve-paris
File name:1d41e32ebf12225fb2895aced3d60e9b
Download: download sample
Signature Formbook
Create hunting rule
File size:579'584 bytes
First seen:2021-11-24 20:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Cv6tD00UizirSHrq1EDMTn3eu44JejuXtzlXrMfvWBPLm:Cv6C03irSHrcEwD3M4EuXdl7MfvMC
Threatray 11'587 similar samples on MalwareBazaar
TLSH T1C1C401943358ABA3CC394BF50D30D1C523B27556B544EA5EACCA21CE2E33B155B227BB
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d41e32ebf12225fb2895aced3d60e9b
Verdict:
Suspicious activity
Analysis date:
2021-11-24 20:12:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9504fd99-59c9-4e9a-a947-b6cac42b1f86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619e9b6ef36138de3f3a8555/reports/68b6741a-87ad-4154-abee-cee41d4d13f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c86afde-f872-4f30-8820-d9a80ace1ecd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895737
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528216 Sample: k7MFswPsqO Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 31 www.immediate-edge-pl.xyz 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 9 other signatures 2->45 11 k7MFswPsqO.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\k7MFswPsqO.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 k7MFswPsqO.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.ofd-trade-sender.com 194.58.112.174, 49816, 80 AS-REGRU Russian Federation 18->33 35 www.metanewsroom.net 18->35 37 192.168.2.1 unknown unknown 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 20:07:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2b61cfb00cc8a45fdae91c176c8e68be4ac7cefbe0fab5781e5fa44d2ec4ca9f
Formbook
418718725035504832c3febfb2372a9a5bb117d9811dcc67d1f290f8dd9900f4
Formbook
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
Formbook
b7602e7d309795640e020a679f93dfd3cb890bc9073a8ead233ab5323c6e0551
Formbook
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
Formbook
f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729
Formbook
f6c1dc28509953d4c7df0cd272714f2ba3de92f85b2ba90d071710580f1df635
Formbook
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
Formbook
+ 11'577 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ob7y rat spyware stealer trojan
Link:
https://tria.ge/reports/211124-yvzmnsdegm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.metanewsroom.net/ob7y/
Unpacked files
SH256 hash:
2da5a77c6251c64099055f36662277c298c83062c5c14dfdd5089319ce85a053
MD5 hash:
a766f9394fe7d0012da3ec32f533f081
SHA1 hash:
428115ad57dcbc26b22c151419509827f31882fa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ecdd63e0-a672-410d-b49f-17d5cc7161e9/
Parent samples :
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
SH256 hash:
302ac54c94e8bdb12b7fdaeef76e2b936e0294ea5b1ced38c6da51ef50c3067e
MD5 hash:
d1a58ca8f82c480763bfa3205e80b770
SHA1 hash:
7b23287d165b2dae07ead2625bd4e1e525d27a1b
Link:
https://www.unpac.me/results/ecdd63e0-a672-410d-b49f-17d5cc7161e9/
SH256 hash:
70f9ca5c79e780cdb012a758b530d9e273ab22cef8059f637cc914f7090f7d3b
MD5 hash:
f5699c7f9832e599d7aad59fcbe3c965
SHA1 hash:
51a5450bce5f9324e54d78aa133cba13f0af0a9f
Link:
https://www.unpac.me/results/ecdd63e0-a672-410d-b49f-17d5cc7161e9/
SH256 hash:
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
MD5 hash:
1d41e32ebf12225fb2895aced3d60e9b
SHA1 hash:
63e74fa4f23e99abd88ffd250c850636a0138e8f
Link:
https://www.unpac.me/results/ecdd63e0-a672-410d-b49f-17d5cc7161e9/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0626da1000aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209184/
  
URLhaus
https://urlhaus.abuse.ch/url/1727762/

Comments


Avatar
zbet commented on 2021-11-24 20:06:50 UTC

url : hxxp://binatonezx.tk/obizx.exe