MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca
SHA3-384 hash: 2798eeb6f16b448b23df0595a85472fb934aa34168b7940708512b02109bc6eca7ef8fd30010036d975c84f0f570d9f6
SHA1 hash: c7332a9e58641255669aae2f53a45ad79a4dd8b3
MD5 hash: 3ec1a88555fbc4e3469c3d932e7443e1
humanhash: wolfram-texas-quiet-twenty
File name:RFQ #0012212012.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'316'864 bytes
First seen:2021-12-13 06:21:24 UTC
Last seen:2021-12-13 07:29:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:EHUrF0NrH0V8tYZMb7W3Nam/zFcBNFRf1nHoXOHtEga:EHUr+4VOYKbqQmEFXnEOyga
Threatray 9'269 similar samples on MalwareBazaar
TLSH T17855125933A08E18E56E13799470C270C375BD196827C31EBAE43DAF7E337909A06B97
File icon (PE):PE icon
dhash icon 60b2a2cc0796cc68 (8 x Formbook, 5 x Loki, 4 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ #0012212012.exe
Verdict:
Malicious activity
Analysis date:
2021-12-13 06:23:34 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1fe72351-6c39-48b5-81c0-0d94bf0307d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213483/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.5169.12485.29351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b6e68e2a06937266100995/reports/c41c9b7c-d4bb-408a-8470-6d141d7047d9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c892a02e-ca3e-4ba3-b050-37edb99411b3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906141
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 538619 Sample: RFQ #0012212012.exe Startdate: 13/12/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 11 other signatures 2->48 10 RFQ #0012212012.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\RoamingbehaviorgraphtzYTe.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp6A13.tmp, XML 10->38 dropped 54 Writes to foreign memory regions 10->54 56 Adds a directory exclusion to Windows Defender 10->56 58 Injects a PE file into a foreign processes 10->58 14 RegSvcs.exe 10->14         started        17 powershell.exe 22 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 2 other signatures 14->72 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 dnsIp9 40 www.muchly20.xyz 104.21.34.70, 49809, 80 CLOUDFLARENETUS United States 21->40 50 System process connects to network (likely due to code injection or exploit) 21->50 52 Performs DNS queries to domains with low reputation 21->52 29 cmmon32.exe 21->29         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 29->60 62 Maps a DLL or memory area into another process 29->62 64 Tries to detect virtualization through RDTSC time measurements 29->64 32 cmd.exe 1 29->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 06:22:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=czxk54vb3ojdl4opubaynmkynxnr7akgnvfepvfigxlpx3g2v7fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0123fdb2e8de200e6fa07cd5c254771143b7d9fea4f6895077b4f609fc5ae1cf
Formbook
045c15ef3a76b61d487b30e3e554c77afbc4f3fc17078d3818b5392de608a92e
Formbook
0f1caafd98e2c01b9860eb21ba2fa1b31cfd33bf29fa25a1ea5fc97f4a7ed90c
Formbook
2ac5823e51b08f55b089eba1300ad0dd347a3ffb2d41d9145a53be1ff63ba1d5
Formbook
4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
Formbook
58de41e1c48a304c1f7f289fe5c8976d82b8968aae89497adf7c60cda25deaaf
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
Formbook
9c87ae78442d9bc2148c24b455e344deda13c70feacd75c4796ab9c91b18015f
Formbook
9e54241184e45b1950037313896e0d2e864cc9d373f5a2f14b0af405094fd1a4
Formbook
+ 9'259 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a94o rat spyware stealer trojan
Link:
https://tria.ge/reports/211213-g4w5gadca4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dolledbydior.com/a94o/
Unpacked files
SH256 hash:
729bff72d7df86950c9a03b9d5814267b5f738df9aafd27b8d25603f2a910f33
MD5 hash:
ee24f75a5a8b88bf33a08abed0b62442
SHA1 hash:
98e44fcb0767dd065d3d6e9185330243dbc1dd69
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e085bb19-a1fc-42a8-aaec-bb92be496255/
Parent samples :
166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca
ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e
8e4da8766eb5ea763138244606bbdbafd4297a332988868411194d067724e24f
34f46dda75810eb7a5f92544fdbecf589cc3633a7ef163b54f338477598af7f1
SH256 hash:
edc08d2c1d5acf49262982b3ba6a3db091e2edbb34496ba78814dcaf909467ad
MD5 hash:
969c02856f382394dbc6e65c785cab5b
SHA1 hash:
fc7e8c9ec429444fc16e590368db10cf3ad1ab4d
Link:
https://www.unpac.me/results/e085bb19-a1fc-42a8-aaec-bb92be496255/
SH256 hash:
f8ee3ec61da05401295cfc650a604dc644a16a8d7afc9f090cd9f7a0d9300317
MD5 hash:
7e9f1e09d0aa634d949c26737c26ff3c
SHA1 hash:
cb6b35efc98d0656148907ce56268a964556664d
Link:
https://www.unpac.me/results/e085bb19-a1fc-42a8-aaec-bb92be496255/
SH256 hash:
166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca
MD5 hash:
3ec1a88555fbc4e3469c3d932e7443e1
SHA1 hash:
c7332a9e58641255669aae2f53a45ad79a4dd8b3
Link:
https://www.unpac.me/results/e085bb19-a1fc-42a8-aaec-bb92be496255/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/213483/

Comments