MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429
SHA3-384 hash: d4d60fa0620bad44f958a7eda19e06524fe7c78b711171335438b23ed5d91b0db9b666b6225091f335aa5b045d547273
SHA1 hash: 30bef5c65abf9ee8030732eaa31de3271c68f101
MD5 hash: f1dbb43cf9f7409787142ff2606f5443
humanhash: washington-oregon-helium-michigan
File name:scan-copy059950059pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'094'656 bytes
First seen:2021-06-03 18:56:06 UTC
Last seen:2021-06-03 19:49:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:V650F0V1IDXcnx7GiGZjcij9d9IgkH2w1z7PV13XMV8c8b9RYgyIOUS7kgRRvpKp:Z00YAcHrDZTYgnCPMNWo
Threatray 5'384 similar samples on MalwareBazaar
TLSH F835392439FA501AB173EFAA8BE4B9DADA6FB7733B07645D105003864723A41DEC153E
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scan-copy059950059pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-03 18:58:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b49243f8-f137-433c-a1d5-3852e8f3314f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164491/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796935
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429331 Sample: scan-copy059950059pdf.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 scan-copy059950059pdf.exe 3 2->10         started        process3 file4 28 C:\Users\...\scan-copy059950059pdf.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 scan-copy059950059pdf.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.healthlifepoint.com 52.128.23.153, 49734, 80 DOSARRESTUS United States 17->30 32 www.lindsaysgill.com 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 colorcpl.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 15:04:38 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfgwrknowerur4a4keiicsxzhcwgpseacztff7k3i4pzvrgjgquq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a
Formbook
3009ff9d8a1675709ccb395bb2c45fb0046a19389e37f4e20bc672efee49f8cd
Formbook
53a4affbe5f5bdcecbe8e78d86d7e0603fa1b674a7269dce0997dc1d5ca8188a
Formbook
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
Formbook
730b276576659ea2bc17aee5e92f2cc5b9aecf9ade5f03816bde0023a783b545
Formbook
7653e46e3326fbabf9e534cbd02600f87ad38b5c9e4e175a60e27a6d90c5e6fe
Formbook
8daa177496784e7684a6379da8117b6f73e641f9b19f605e8650f3f4f9f8e32c
Formbook
9b7fd781016675bd73b0acc7e402bbdcf4dfa3e3df4a5dd7d7c9c850bc2d85e8
Formbook
d885a2034e825199486fbe2eecbf1098e07c8ba36ffe3cca2518e3f332c48f28
Formbook
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Formbook
+ 5'374 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210603-g5elsm5k4a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.rvs2gospecials.com/fmjo/
Unpacked files
SH256 hash:
ca32213295a987d9894192ef69196b9f779f3c24d6ce914a3fafa1e0348c9c69
MD5 hash:
f3389ba26fdb089ea51d14c85ff0c7ce
SHA1 hash:
eb83da3fe19c6d9b51c7ba365f80568dac6f5074
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
Parent samples :
094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429
7136d9886a979d81abdaf9f75516b50970abff75d874c937f58a72d0c2ebe623
4fda1896f5143497af8231a4a73f99381038088aad02e30141d5be3322bcabeb
SH256 hash:
a93c5a6621be496deea33afa5f0aa924ec6a3481967527842825963c3368299e
MD5 hash:
e23d6c08351b3e648e527c0f6174ac07
SHA1 hash:
84579e796b23d7531ef1c6b5cc9815e328950afd
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
SH256 hash:
f05a3d0ccf532d8da4a372a80f5fb298924fdc851680d530d3b6dd29b973cfb9
MD5 hash:
051890feea6b4b6c5f386d0f17f73bc2
SHA1 hash:
79a35e5b22aca9c24eabd8f6b802b2ebbe90d6a8
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
SH256 hash:
d407cdd8a4e7c4b85c3db2e716b111b25809ed36e5cad0ca89d75763e1a9618c
MD5 hash:
3d3f56f84dd9063bc9abe69236620ba8
SHA1 hash:
145e2cab211402e304b910676a446df4effe6637
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
SH256 hash:
094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429
MD5 hash:
f1dbb43cf9f7409787142ff2606f5443
SHA1 hash:
30bef5c65abf9ee8030732eaa31de3271c68f101
Link:
https://www.unpac.me/results/c6c10489-56c0-442f-8551-e6351227769b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 094d68a9aeb12348f01c5110814af938ac67c880166652fd5b471f9ac4c93429

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164491/

Comments