MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
SHA3-384 hash:	baa0d90001df927bbec3516d55e9e1a2131a75111f05e429238dbd8392fadf14b9825a37b18bb9d920b4a0b8b86b37d4
SHA1 hash:	ce190de876502eb784ae8d3efffdbcc822fc4191
MD5 hash:	07b866a9e7ce588443900e604f09e369
humanhash:	red-football-batman-thirteen
File name:	SecuriteInfo.com.W32.AIDetectNet.01.25146.32715
Download:	download sample
Signature	Formbook Create hunting rule
File size:	652'800 bytes
First seen:	2022-06-02 10:42:23 UTC
Last seen:	2022-06-02 11:15:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:yjAab1As+f4w371DIM2XfsDMGVpaLBgEqllOg9dkR0IYkgRjsWeGe:ycuvw1UBXfsDMGVpMgE29dkR0IYoWeG
TLSH	T126D4F0D0D32BFD76F02531737560E19C2B24462DA1D0D53B9AACB98E30A134A19F6F6B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request for Quotation.lzh

Verdict:

Malicious activity

Analysis date:

2022-06-02 08:21:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19b7c169-99cd-4997-b483-0d29c12e2308

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276296/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.25146.32715.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6298944d961acffe543f78b6/reports/1f405761-c37b-4e67-b38a-172c64cb8e4c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc0d7462-7473-412b-b1ac-424dcb048a11

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1005645

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-02 08:25:54 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvh3ccgqx3lohzzw4xqaw2ssvqzcefvoebj5ohvnax3pohmqt5sq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oi25 rat spyware stealer trojan

Link:

https://tria.ge/reports/220602-mr8wdsfbc6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

Unpacked files

SH256 hash:

d9ad45bcbfe603a3be699508002edc692666abb8607437d7287797ebbb20c35c

MD5 hash:

75d51ce06fec59270a87053916934bbb

SHA1 hash:

892b1be0a0937ef4607d705b4e750b36e166e084

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/1fc13a31-1777-4922-bac4-7861df1f0362/

Parent samples :

e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
d789dc89cbdaa34557abf0c25f2ae5e35208c752fdfceb0aaff7ab15a7e45220
d060c0c503a5d377c6f8df72835faad2b6172958efa655f04d3b0f074d10d1dc
9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2
591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

SH256 hash:

0a780c9133c199d9a88341e4a0ea562672b915d03026f81bf73c1a7ec8ca369f

MD5 hash:

297c4ed646af1073663e9871615c7464

SHA1 hash:

7892178f7112c3646074df0358d06a8990696222

Link:

https://www.unpac.me/results/1fc13a31-1777-4922-bac4-7861df1f0362/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/1fc13a31-1777-4922-bac4-7861df1f0362/

SH256 hash:

112b422c20c1e244a56bb3ab5bd76f751be0d8ac469285701486728e285968f5

MD5 hash:

93b4476d88e21b57007077437eae68cd

SHA1 hash:

011ed91e1170eba81d5ed03f0784616de3b863fb

Link:

https://www.unpac.me/results/1fc13a31-1777-4922-bac4-7861df1f0362/

SH256 hash:

154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65

MD5 hash:

07b866a9e7ce588443900e604f09e369

SHA1 hash:

ce190de876502eb784ae8d3efffdbcc822fc4191

Link:

https://www.unpac.me/results/1fc13a31-1777-4922-bac4-7861df1f0362/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/154fb108d0be/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/276296/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample