MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b
SHA3-384 hash: 108939ede04c3e4c85d79626e6d52db1b521fe32ddc11b1bfcf53e797c7331026fd6af10ccc1c922a2fc8b88c99fc242
SHA1 hash: 6e2ef03666ee5eaec952abf0f49515d7bdaff005
MD5 hash: ceaac50da58ff5a141ecf2fe7425dbe4
humanhash: fourteen-kitten-zulu-arizona
File name:SecuriteInfo.com.ArtemisTrojan.22369
Download: download sample
Signature Formbook
Create hunting rule
File size:520'704 bytes
First seen:2020-11-03 06:57:30 UTC
Last seen:2020-11-03 10:48:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8u2Mo+Efv8I1zd5wIJH5y5bvNpd9F1tx2mTT9y8rYHTfFgKBj3vayDPo/:VHet1p5ZXylNlz5y8rTwj3vj
Threatray 4'314 similar samples on MalwareBazaar
TLSH 4DB4C2E32862C46BC97B2EF130557380ED6DDB872B508A3D215B5F08BA30A56EFD6147
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81964/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.22369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518884
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308544 Sample: SecuriteInfo.com.ArtemisTro... Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected FormBook 2->36 38 3 other signatures 2->38 10 SecuriteInfo.com.ArtemisTrojan.exe 6 2->10         started        process3 file4 26 C:\Users\user\AppData\Local\...\mscorsvw.exe, PE32 10->26 dropped 28 C:\...\SecuriteInfo.com.ArtemisTrojan.exe.log, ASCII 10->28 dropped 30 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 10->30 dropped 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 mscorsvw.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 3 other signatures 14->60 17 explorer.exe 14->17 injected process8 process9 19 WWAHost.exe 17->19         started        signatures10 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 00:25:01 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cru7j7blkzlbhbsa6vzajutorkkwdezshwbzxd3ugugulyonw2nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
020f6782cf76a5a4f0fc561da8c503892094137b8e5df112005a31885cdc89ef
Formbook
19f43d1f8fd11eccbdb2d9ce05a16983fe394cbd92943bc57943e4bbbb686687
Formbook
2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e
Formbook
72e42f1672249fbd4db20c17d5e29fba5838ef08cf0f6964d84ffc434ea46f27
Formbook
777d646e09cf725986f3617d40d5bca943d077015759e346e3e8f5314cac13ce
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
b40a41c9ee9ed3cc2a18968a900d160b0682e6a3e7b824a953a1e5ca88e6f524
Formbook
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
Formbook
c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752
Formbook
d34f87c6a070f4f73344156c16be7040f2932053aea2868e98b0fa4297113835
Formbook
+ 4'304 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201103-24mbys8g86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.tazaly.pro/rte/
Unpacked files
SH256 hash:
1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b
MD5 hash:
ceaac50da58ff5a141ecf2fe7425dbe4
SHA1 hash:
6e2ef03666ee5eaec952abf0f49515d7bdaff005
Link:
https://www.unpac.me/results/a9f1ee16-421c-410d-a13d-1a9adf646bac/
SH256 hash:
85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d
MD5 hash:
a5baef204b1c2470b3692ead91645bcc
SHA1 hash:
636c826cd651b6817711353b140d7960731daec5
Link:
https://www.unpac.me/results/a9f1ee16-421c-410d-a13d-1a9adf646bac/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/a9f1ee16-421c-410d-a13d-1a9adf646bac/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/a9f1ee16-421c-410d-a13d-1a9adf646bac/
SH256 hash:
35546ecaddbb2b054b69cd6c21bb1e86c7d19c21a4f383d8f15a32b3b7c5c82a
MD5 hash:
f38f549fe109e25296f0225f1e28eadf
SHA1 hash:
c0389fa70f9d51f54e274dc787eb60520de17c7c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a9f1ee16-421c-410d-a13d-1a9adf646bac/
Parent samples :
1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b
6bdd742fd2995cf633d3d99d0d3bc3f398ff3e18775b1de3370427256ffccd61
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/81964/

Comments