MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
SHA3-384 hash: ebe59738c84957879c9ef0afbaef0af2736d3339a82481cc2911942a3c3c428507900f19fcb842fcbb227f7f36ae0555
SHA1 hash: 10d79cb8e51fd30bfff63b2465ba0e111f6dd500
MD5 hash: 839c75a88734aaf014ef0c3d77ce9109
humanhash: quiet-triple-charlie-hot
File name:PO 56720012359.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:304'128 bytes
First seen:2021-09-15 06:33:52 UTC
Last seen:2021-09-15 08:11:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2e2fa89aec204ac5f3945ce98025d14 (3 x SnakeKeylogger, 1 x Loki, 1 x Formbook)
ssdeep 6144:z9GBfOEiU6y+B0yoP9/NbU2Q2QNW7rdmtJJTbutFB1:zgBmEiU6/aF/Ja2oW/dmtJwTB1
Threatray 9'511 similar samples on MalwareBazaar
TLSH T17F54F102FAD48075E0B30E340920ED7007AEFB728A7EEEA35728955E49755E16B35F63
dhash icon 4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 56720012359.exe
Verdict:
Malicious activity
Analysis date:
2021-09-15 06:34:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/95bf5690-2028-46f2-a48c-0bc3516af7d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187965/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.43330.25274.16092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6175141ba9d585e6d5370e9b/reports/f4c93a99-2ce6-4965-ae59-978420df68a5/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc0ab3a7-3fe6-4a39-8579-304e8d545a69
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851106
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483537 Sample: PO 56720012359.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 www.la-bio-geo.com 2->31 33 www.allfyllofficial.com 2->33 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 11 PO 56720012359.exe 1 2->11         started        signatures3 process4 signatures5 63 Maps a DLL or memory area into another process 11->63 14 PO 56720012359.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 19 explorer.exe 14->19 injected process8 dnsIp9 35 www.mobilewz.com 23.252.68.226, 80 SAYFANETTR Turkey 19->35 37 www.stuntfighting.com 156.252.96.170, 49774, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 19->37 39 4 other IPs or domains 19->39 53 System process connects to network (likely due to code injection or exploit) 19->53 23 cscript.exe 12 19->23         started        signatures10 process11 dnsIp12 41 www.mobilewz.com 23->41 43 192.168.2.1 unknown unknown 23->43 55 Self deletion via cmd delete 23->55 57 Modifies the context of a thread in another process (thread injection) 23->57 59 Maps a DLL or memory area into another process 23->59 61 Tries to detect virtualization through RDTSC time measurements 23->61 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402/
Threat name:
Win32.Trojan.Brresmon
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 03:51:39 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dau26wlbkbjbgugyclah7ajcm5k5hf7eovpwjhqihtag3z6w6qba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
1cd93c07c439d16266f2276b1f38c53b57cd0de59490b6857044eda8abe78c01
Formbook
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
Formbook
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
Formbook
64c5f02d627f750a5b60a196ddd53fc03f6bf632e7643cf996effaed8981e05d
Formbook
77f75ced9cfdb9bff40e705aaced15795f123e460db0fcb97463e0515aaf8af1
Formbook
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
Formbook
b6f6868af49729ca38d24bae34efc0fb3025b7947b5cbda60251d96755e01725
Formbook
bf299d24600936c9f0f4da127632a2a28c4f5243c23a87ee11a6a96b4d7727a2
Formbook
c9afe6904407e9b60e73edf93efbd932b6725f0f4f33306117ffc9854c21cae2
Formbook
+ 9'501 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader rat
Link:
https://tria.ge/reports/210915-hccgesaaa3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.allfyllofficial.com/b6cu/
Unpacked files
SH256 hash:
9f0504e928d32b48eebf9c0ff72e61751fa16482f490bba59e4e4c8eda864f3e
MD5 hash:
6a7d943c3990612f8b47f7ecc9f48cf7
SHA1 hash:
de4705788da371a53409575bc59452e2a68f647a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5877508f-9c85-4494-8287-81fba2d93f30/
Parent samples :
2cacbf5edb0feaee79523ed3d17bd8ad53528244142244ca40626626baaec46b
3fd3f37912e5aa23fceb3877d6ee43c8b102410d4fc90b147aab266972939b07
a5fb671ff149d2c1c97fcd000703037ca35298d3d45d4797ab20a190aea0ff10
1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
SH256 hash:
1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
MD5 hash:
839c75a88734aaf014ef0c3d77ce9109
SHA1 hash:
10d79cb8e51fd30bfff63b2465ba0e111f6dd500
Link:
https://www.unpac.me/results/5877508f-9c85-4494-8287-81fba2d93f30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187965/

Comments