MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520
SHA3-384 hash:	0b8acd58a23b48f48cf9e39345427acd4402af3bce12f0d02c6bf890b24300fa9382e23be585418d46e663a451481379
SHA1 hash:	0ba9e0b44df7ad2c5a0d4716912d591e8dc7c66a
MD5 hash:	64fa1d8a2fc9a9148d64a32c33686ca1
humanhash:	wisconsin-diet-bulldog-steak
File name:	詢價_pdf_____________________.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	514'560 bytes
First seen:	2021-09-14 08:37:57 UTC
Last seen:	2021-09-14 10:12:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:lhk4DbF53e0IUFL4TLt9q4izbEPt4ITEp/eQvSBeT+9E846C2W76:LU1QJ4XEp/eQvOZ492W76
Threatray	9'242 similar samples on MalwareBazaar
TLSH	T1ADB4AD243DFA5129F1B3AF7A5AD0B5869A6FB6333617E41D145103874B23B81CED0B3A
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

詢價_pdf_____________________.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-14 08:56:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/17155bc0-61fc-4e04-a875-c219a9c34a5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.17854.22111.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61750d87db358dd15ed9222d/reports/3d69b169-a2fd-4285-aab7-d1c87d354b41/overview

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f598d42-8e4d-4f14-baab-2af6972b23ba

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850535

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-09-14 02:01:12 UTC

AV detection:

6 of 43 (13.95%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cl4su7moswm4nesty4546jw5hipyrb74hf5xdrai3gqn3qrpwuqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

32be150a050a1b8598455b6db794c2f56bdfb998c759501df5ded3a67fe88d03

Formbook

5e6b89915432b64a3205f68d49db2ffc02007600a2a82a439aff431a95fcbeef

Formbook

7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

Formbook

8503c4ec4121647a225068e8defe8ff2e4cfc61a94dcd3c261ec5acf38dfa73b

Formbook

9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a

Formbook

b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

da8ac5be69302fcd92625e881ea1494e67b97ace71fcfa9e068f7d7b004f2248

Formbook

eb3f64ec577c51957dfd0c55a431209e947c281c3a2a1f2d8514666530a0e608

Formbook

+ 9'232 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210914-kjqzhafdb5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

a8fedbd8c8a0b308afd57bc4f591019b80826b11ccf9bccbf0fb88bdde0d359c

MD5 hash:

f948d27d8c6a18aee0db5748db6c8068

SHA1 hash:

94aa66929acbd9268a80cac53fd89000e46d8f9b

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/e69abed3-2543-4739-8e6c-447bdef4bd39/

Parent samples :

12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520
57c14f3c817855d5ba2bfabaade5929697472d2989a8a9bcff46e50ac499a4dc
c8b5ad6ec571b93bce7b6ae25501d622eb7fda462b02455ff7bd9aaaace29aef
17b08e4418f813543e91ad18ae2e50ecfe40692d9b5dec854e94ec0abbc92b11
5da4f819e28c2b5e768a01c4c5010f0a335a86120ddb412583a2cd716bf95356
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
05cc84b514af3890b82bbb8645e6f2ffd63782852f7ec8f00632cae804e7b443
137bbdb0a6a00a9167dff5cb670ec17aab82ae50392e12b1cdb6a08110d75285
b8393904a1a29cd147d934194b13fd0565dfd123b3868126386437536f15a0b4

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/e69abed3-2543-4739-8e6c-447bdef4bd39/

SH256 hash:

a15e3971a7ef389bd55442c1ae23d247fdccd9bb5693081819bd7427e166e537

MD5 hash:

cb60857d53f69c2af5c74359ecfb8ebc

SHA1 hash:

b0a8b07159a010bf8bb3b043d57fe5d12d34de48

Link:

https://www.unpac.me/results/e69abed3-2543-4739-8e6c-447bdef4bd39/

SH256 hash:

12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520

MD5 hash:

64fa1d8a2fc9a9148d64a32c33686ca1

SHA1 hash:

0ba9e0b44df7ad2c5a0d4716912d591e8dc7c66a

Link:

https://www.unpac.me/results/e69abed3-2543-4739-8e6c-447bdef4bd39/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12f92a7d8e9599c69253c73bcf26dd3a1f8887fc397b71c408d9a0ddc22fb520

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample