MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548
SHA3-384 hash: 8ddd8a854ee05a8a774a55513353ea13f920fa4579da0f1d0c9266be9bc648b8b598aab3ffb7d1a1ab24945bbd16e28a
SHA1 hash: b9fd1ec9600450c9eefd84ff4714efdd034317b9
MD5 hash: 1d070a19fdecc7aa8e3beee23a84cc0f
humanhash: hydrogen-uranus-muppet-king
File name:1d070a19fdecc7aa8e3beee23a84cc0f
Download: download sample
Signature Formbook
Create hunting rule
File size:652'288 bytes
First seen:2022-04-04 16:47:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:sxBJ12GDJnvJMgQhOwUNX4f2AWXPx3cx:o12cJhMgcOwqofkXP
Threatray 11'828 similar samples on MalwareBazaar
TLSH T1BFD4D03C67F84A52FABE4BFDA1A1404093B5B612981FF70E5AD124FA1D73791CC22A17
File icon (PE):PE icon
dhash icon a2aab28acad696aa (10 x Loki, 8 x AgentTesla, 8 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260693/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.34136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated packed remote.exe update.exe
Link:
https://www.filescan.io/uploads/624b218cdb9ca5cf841d20f4/reports/2c549de2-e10c-4869-84c5-c9a8237cb864/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f382e9ca-49e0-4c5e-bf8b-f44d33164e70
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970278
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602765 Sample: hx5Oyxa3bd Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 9 other signatures 2->50 10 hx5Oyxa3bd.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\RoamingJWeZLsqU.exe, PE32 10->36 dropped 38 C:\Users\...JWeZLsqU.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmpB895.tmp, XML 10->40 dropped 42 C:\Users\user\AppData\...\hx5Oyxa3bd.exe.log, ASCII 10->42 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 10->52 54 Writes to foreign memory regions 10->54 56 Adds a directory exclusion to Windows Defender 10->56 58 Injects a PE file into a foreign processes 10->58 14 MSBuild.exe 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 2 other signatures 14->72 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 chkdsk.exe 21->27         started        signatures10 60 Modifies the context of a thread in another process (thread injection) 27->60 62 Maps a DLL or memory area into another process 27->62 64 Tries to detect virtualization through RDTSC time measurements 27->64 30 cmd.exe 1 27->30         started        32 explorer.exe 2 150 27->32         started        process11 process12 34 conhost.exe 30->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 08:16:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3j2o6zs2cqcwamhdwek2vd5p62zchkekruftdjlslfg5lnpevea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
65111c916600ffd7c9407db3a70147e7333a2d6e504c049c548e58db09a6ff6a
Formbook
8802a6f507c02074894fae7351418312e6fded323950238e06691adb61da984f
Formbook
8f4007f0c6f570327d5026756b4a48c8a776a6a9516b28a83913307d3db760f7
Formbook
be7618e17ee02d548fd4c9ce00e3075eaea5a3c3bb2cb649ca71cca58f391372
Formbook
ca9e3eb1d13a6138d7fcea0b9490d55cac9ad232aa46cd1d47b15428594d2fbb
Formbook
d9477f38fadfaf52a609392f7b372b558c7aa029da15f940331fcc48ef0ad9a9
Formbook
dfca2f8f463f035fbf2e00c4c2791d931a905cacea11a14ebfcba3b09554308b
Formbook
f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56
Formbook
+ 11'818 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r31e rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-va38ksdbek/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4
MD5 hash:
bfcf754fb9acba752f79f44817b7be23
SHA1 hash:
01af19456b6f97790973d0d67a97ecc362ab7aed
Link:
https://www.unpac.me/results/4d72865a-b8e4-44c1-8c1f-89135674ec7d/
SH256 hash:
1abb2017d24aa12677f946c55e97f32cd376cf59a8ef510d4fac9af2a1bf62d0
MD5 hash:
f45702d699874583e7c70fd4abdcd379
SHA1 hash:
8d50a0d92a1cb658cd831a8dfbf463699b1c6ad8
Link:
https://www.unpac.me/results/4d72865a-b8e4-44c1-8c1f-89135674ec7d/
SH256 hash:
554e01d3b8b1ed6ab151b9f9187450e79b87c696501cd23f3e9fc3f9a41a9b30
MD5 hash:
631f44557702b9e590155955b3a69dab
SHA1 hash:
ff031e05b9c50790f04c099e4fc14741b2f6f30b
Link:
https://www.unpac.me/results/4d72865a-b8e4-44c1-8c1f-89135674ec7d/
SH256 hash:
861903f997faec1c4c00d052724b71e2fc9cf4f904f95abf73c94445070d6430
MD5 hash:
ea287bbd825aa9d7d43a3e49892b34d7
SHA1 hash:
b3494917dd0cf23a40d96c6dfb7b2ea7232b9b4a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d72865a-b8e4-44c1-8c1f-89135674ec7d/
Parent samples :
06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548
eadfef2b763b5d1e06929169e6b0f9858b1af9c51a389a09f0dc87f4e1e8c1ff
SH256 hash:
06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548
MD5 hash:
1d070a19fdecc7aa8e3beee23a84cc0f
SHA1 hash:
b9fd1ec9600450c9eefd84ff4714efdd034317b9
Link:
https://www.unpac.me/results/4d72865a-b8e4-44c1-8c1f-89135674ec7d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06d3a77b32d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 06d3a77b32d0a02b01871d88ad547d7fb5911d445468598d2b92ca6eadaf2548

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2130938/
Cape
Cape
https://www.capesandbox.com/analysis/260693/

Comments


Avatar
zbet commented on 2022-04-04 16:48:12 UTC

url : hxxp://198.46.201.96/fresh/SOA.exe