MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210
SHA3-384 hash: a120dc519ed262970a981996f357b90c4261c24f7eda4515e9cceeed3e9018a76cafd73beb203b237f21f45e161264c3
SHA1 hash: ac2f1256173e64b85cf1653bec6bf0d29420a82a
MD5 hash: 6d23db9129edd1b1d14d9965baa3a251
humanhash: washington-pluto-green-friend
File name:6d23db9129edd1b1d14d9965baa3a251.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:455'680 bytes
First seen:2021-12-20 09:46:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:ztebkTl2pslyNDdc02tmTemAvVLohGIJFFppIyS3mmDDS6hKLhoS/MOOeMtq7PdX:gsl+T2tmiFVaFppIyAhXGSGyHMd
Threatray 12'385 similar samples on MalwareBazaar
TLSH T1EAA4E06C32A7A7DED97053B83BB9503403A6BC725127D259D89A31DF1937B40BA23B13
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215427/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61c050dc8991ba72b38e48c4/reports/c40f508d-9a48-47e5-8bd1-90f5454a75a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/beaddcb3-5575-4865-9079-df9a56a228a1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910182
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542658 Sample: 0Z9Q5vtqV0.exe Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 31 www.tnb-research.net 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 0Z9Q5vtqV0.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\0Z9Q5vtqV0.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 0Z9Q5vtqV0.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.informacja7902.site 84.32.188.89, 49814, 80 VUB-ASIT Lithuania 18->33 35 cummingautorepairs.com 23.229.143.36, 49792, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->35 37 www.cummingautorepairs.com 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 control.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 20:51:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjojjgf5zu4pwnwtly7lgl2f5xuehzj65nl6s4zfltyr2zrrqiia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
207b6109319a9405ea9d3a379332b73c67e99a649029654f73e2a61acfb84f03
Formbook
2152a980e864940db36cde90c649f66e7c2da15790e97703a28cb378fb7b5ca6
Formbook
558470db798ec71e380a908adaf33e8d39850165e623bdb129196b79919f4248
Formbook
75ed45b6037e84e9ab04fd54b551711c8765972a14a25da2acda47acd7b89ca8
Formbook
9ea2af324c0b6ab6493a82c59ba4f2aa56d94c5bc830f0e2b5a8288dc63747d4
Formbook
9fa1cc5263270e7856695780225b4084962371dac2f5d7a921d782dc862f0d05
Formbook
a33cbeb94697eb2355ea92f44f065e52461adaf621ad548d066dc73d6d76eeb9
Formbook
b52af14eb676f40ba504c6c97cc06a75fc266a4abb3da6feb923701bbd8d0f51
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
f840ca48e6381b385534156b8245c39dee4d1c95e18569c91b5537ff2f20aa7d
Formbook
+ 12'375 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a3f0 rat spyware stealer trojan
Link:
https://tria.ge/reports/211220-lrmgqabaen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
265ef809ccb008760a41c04e171b7493e2a15f091aa693f6ebe146420e090bdf
MD5 hash:
1dda3144bad6364a4bfa2f12bd1930e4
SHA1 hash:
8130e9df0cf85784990a5960cd980d36d759926b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4fa2066c-ec8a-493d-be57-f8257f4edb32/
Parent samples :
125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210
15aeb1edef0fa34d88b0cae99767b604b90138173b024bb4512979b22cae9287
37c61785c47820bbfd4198b8ff7c9db451bdde81371b5dde948b6aeab76a36bf
3e07bbefb8a7c7c8b5c46c854eaa422fe047cd22d6c2e96af1b1a88fb78854b0
SH256 hash:
a447aedfb470435a88df559356b14e810aef58e64e12aec186cb1da28748beb5
MD5 hash:
97ba3929f1aa9e01973762b35a8881ba
SHA1 hash:
be59f22a5542c66d35975cc1c3dbd463d8c1f0a9
Link:
https://www.unpac.me/results/4fa2066c-ec8a-493d-be57-f8257f4edb32/
SH256 hash:
cc863038dfc58d37276a1f1cb952870d6a2cd81a7ac72d3ed7021e5c5aa1c8f0
MD5 hash:
2c5570f3b591aa1fd57f5ec62ab89b76
SHA1 hash:
7a451b030d1acef0a149e333ba9df225fc5494d1
Link:
https://www.unpac.me/results/4fa2066c-ec8a-493d-be57-f8257f4edb32/
SH256 hash:
125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210
MD5 hash:
6d23db9129edd1b1d14d9965baa3a251
SHA1 hash:
ac2f1256173e64b85cf1653bec6bf0d29420a82a
Link:
https://www.unpac.me/results/4fa2066c-ec8a-493d-be57-f8257f4edb32/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/125c9498bdcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 125c9498bdcd38fb36d35e3eb32f45ede843e53eeb57e973255cf11d66318210

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1880065/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215427/

Comments