MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
SHA3-384 hash: 5b8979481e70a722ba3d73985b21dda4da5171e099c52edf073c681ba816b836b44f8542ad739c7fac1cfea2ebb49e37
SHA1 hash: 50cfa9d5f4f391ff1c26c05feaea9a407903adfc
MD5 hash: d0e5bb36613f00ef4cedbbeca5e87b8a
humanhash: nine-florida-louisiana-batman
File name:Invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:571'904 bytes
First seen:2020-11-18 10:43:39 UTC
Last seen:2020-11-18 14:57:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:2uth3BLN/N0fxy1JwuNIyFgaDAF8Fm+wSScMtlfZBST:26h3B0fg1JZ0FamCJ4t
Threatray 3'014 similar samples on MalwareBazaar
TLSH 53C42382C3ACC56ED7AB2231A06E405D0671F58C7113EF64DACCAF063AE6BD6847D971
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.461.26200.9395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/540842
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319523 Sample: Invoice.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 10 Invoice.exe 1 2->10         started        process3 dnsIp4 48 192.168.2.1 unknown unknown 10->48 66 Writes to foreign memory regions 10->66 68 Maps a DLL or memory area into another process 10->68 14 RegAsm.exe 10->14         started        17 Invoice.exe 10->17         started        19 RegAsm.exe 10->19         started        signatures5 process6 signatures7 76 Modifies the context of a thread in another process (thread injection) 14->76 78 Maps a DLL or memory area into another process 14->78 80 Sample uses process hollowing technique 14->80 82 Queues an APC in another process (thread injection) 14->82 21 explorer.exe 14->21 injected 84 Writes to foreign memory regions 17->84 25 RegAsm.exe 17->25         started        27 RegAsm.exe 17->27         started        86 Tries to detect virtualization through RDTSC time measurements 19->86 process8 dnsIp9 42 www.lyoml.com 156.241.53.234, 49733, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 21->42 44 www.52wanlol.com 45.39.153.189, 49736, 80 EGIHOSTINGUS United States 21->44 46 www.smallfrytacos.com 21->46 58 System process connects to network (likely due to code injection or exploit) 21->58 29 svchost.exe 21->29         started        32 ipconfig.exe 21->32         started        34 autofmt.exe 21->34         started        36 autoconv.exe 21->36         started        60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Sample uses process hollowing technique 25->64 signatures10 process11 signatures12 70 Modifies the context of a thread in another process (thread injection) 29->70 72 Maps a DLL or memory area into another process 29->72 74 Tries to detect virtualization through RDTSC time measurements 29->74 38 cmd.exe 1 29->38         started        process13 process14 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 10:19:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bepwyu5e6455vqms4cf5ubcz6xuk7fj2hqvvzxxbovtxganiz32q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
073c6184b73bb8ae675774bd64e81e1023f6df992fb763358f9653d980e4b55e
Formbook
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
Formbook
29b9120d8ad7140f77528da00668da77b956fd76ef4dd0ba0af550b771a387b2
Formbook
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
Formbook
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
Formbook
70581c97768f831cf9a0e6e084f44331ffb3d17ed78136dcd6b42e0490b814bf
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
9daf6c939e1c734dca8262f7c96844167c8869301b032c1f156f0e532b055603
Formbook
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
Formbook
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
Formbook
+ 3'004 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-rvn24t7pkn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.alsagranit.info/rhk/
Unpacked files
SH256 hash:
54e170ab35e32ea8ae1f4b2f5ed8a3dc8530226d7a579843651ebc0c5b4431bc
MD5 hash:
c0508db09e78dd06dead0ec7b69836c1
SHA1 hash:
3c64bb770caeb820c5898b23e04d296d0bf79f7b
Link:
https://www.unpac.me/results/1cc9e1c2-a704-4f66-9f03-addf217d6134/
SH256 hash:
f1c8b375b9aaa998f98124b440f29391d60468ae6bcd9cb08f0f9e9024f21c49
MD5 hash:
37b9a7a1578db2572c36f7907672dee0
SHA1 hash:
7d917c3fc6f689ce438b5bb0772f33fcffd7f1b3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1cc9e1c2-a704-4f66-9f03-addf217d6134/
Parent samples :
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
70581c97768f831cf9a0e6e084f44331ffb3d17ed78136dcd6b42e0490b814bf
29b9120d8ad7140f77528da00668da77b956fd76ef4dd0ba0af550b771a387b2
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
31a7c6470ae7463e4fb0df44f27792aed63419e03b747b5982fcc26e8011afab
b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9
c69e882c771b1818558a97832a4ffc97db0ca2bdca969abcae1b1b9094123b0b
fed568f2ea01aab915cf34cbae9762d0b6002ae51679980975b9d25f55ae9514
SH256 hash:
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
MD5 hash:
d0e5bb36613f00ef4cedbbeca5e87b8a
SHA1 hash:
50cfa9d5f4f391ff1c26c05feaea9a407903adfc
Link:
https://www.unpac.me/results/1cc9e1c2-a704-4f66-9f03-addf217d6134/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 581073cacdeef9fc1356afb2e44871246527f0416fda08c7bf26abdbb421f591

Formbook

Executable exe 091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 581073cacdeef9fc1356afb2e44871246527f0416fda08c7bf26abdbb421f591

Comments