MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70
SHA3-384 hash: cd0abf933438f99b688e40685b0c112a62e040968a4263e766cb4e614d1a202c8b300a9547db14ea7836a29a8d62b4c6
SHA1 hash: 66832887ae994d363d6ba6f3e6ac4b625b9653d7
MD5 hash: ab10a724cbc3c0b4d14b4dbdce3d43a7
humanhash: zebra-alanine-gee-paris
File name:ab10a724cbc3c0b4d14b4dbdce3d43a7
Download: download sample
Signature Formbook
Create hunting rule
File size:767'488 bytes
First seen:2022-02-15 21:06:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:2c5k+TdUOIrIpjyFMAHe+myGGDI68gRsw8AWmRqhqjv1EX06GBxDnQP4p4:9aSjRie+mCI68gD8Uj9B6Ixg
Threatray 13'748 similar samples on MalwareBazaar
TLSH T17CF4120076B72744C5360BFA84A992854BB5B65D5523E6BECE9230CD0C13BD4CA7BE3B
File icon (PE):PE icon
dhash icon 0012360d4d1e8606 (19 x AgentTesla, 12 x Formbook, 4 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241747/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/620c15fda2660f3bb9de6fd2/reports/d7551b7a-c13b-4395-96ea-734db7373ccc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81712412-f342-4e9f-ac3b-0ee1580e9a38
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940426
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572901 Sample: IIQumqiToK Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 32 www.eadsscale.club 2->32 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 11 IIQumqiToK.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\IIQumqiToK.exe.log, ASCII 11->30 dropped 52 Tries to detect virtualization through RDTSC time measurements 11->52 54 Injects a PE file into a foreign processes 11->54 15 IIQumqiToK.exe 11->15         started        signatures6 process7 signatures8 56 Modifies the context of a thread in another process (thread injection) 15->56 58 Maps a DLL or memory area into another process 15->58 60 Sample uses process hollowing technique 15->60 62 Queues an APC in another process (thread injection) 15->62 18 explorer.exe 15->18 injected process9 signatures10 34 Uses netstat to query active network connections and open ports 18->34 21 NETSTAT.EXE 18->21         started        process11 signatures12 44 Self deletion via cmd delete 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        26 explorer.exe 160 21->26         started        process13 process14 28 conhost.exe 24->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 17:36:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05a8b223ebaf0e223aeb9d8cbae7f4bbe68350b50691f39091f68e7a0e3450b8
Formbook
1eb4790d6bde96e2486580793a9f6759241f0bde48e6b7f1df0e9a1e62e6a1e5
Formbook
2084194e47482bf35f4b7c5724d6cf0db56cf4f10811f727a3517579c3985b2c
Formbook
44ec04e0e019c71ef2da463be580df904e323388f5250787c3e186c5e954bbd0
Formbook
6420ceb34588ec91292aa6fcaa2b77b99a4b492a009f51a409fd240d138c7856
Formbook
6f2d71733b4bcab1a04a40168f2900963a9f65c0081a6f1d1832d18b6bae16bb
Formbook
78925291f09bb03febfff27735cd630b96b9ea2a21aee0a8b58e156ed20b256a
Formbook
e08593ebcd4ac9265c1f27d987a67f43b2c8a9e9c680e9d47901281a4c5878dd
Formbook
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
Formbook
+ 13'738 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:p0t9 rat spyware stealer trojan
Link:
https://tria.ge/reports/220215-zyandsacb2/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
aa4aed8d935070bf79093cfba5d4ece4d09e7ad6e2a1d7a2b8a266c663765b88
MD5 hash:
5da4badd82a91e721f9db2683d8bf877
SHA1 hash:
541d5bacc55c247727aab9abfd255d91f1e74006
Link:
https://www.unpac.me/results/fed9d2a5-9a10-43f0-840a-8fac4c0b9f19/
SH256 hash:
79d96f207cb09ccea972821b582632296fb4b2c68f86603d9ad3c3740428c287
MD5 hash:
f7356dbe74dfd394a69ca356ace6c90d
SHA1 hash:
cb15d85b1f3882073c5b64a43931d09a3a3faeaa
Link:
https://www.unpac.me/results/fed9d2a5-9a10-43f0-840a-8fac4c0b9f19/
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/fed9d2a5-9a10-43f0-840a-8fac4c0b9f19/
SH256 hash:
7e98822f8518f0e996b7cf3acf26a5097b1d1bca30598a4ad51243e4815cd336
MD5 hash:
e935ef8d61fa963b6ed778497524d884
SHA1 hash:
935ed07dead04deecf89661c3ea1a573468e007b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fed9d2a5-9a10-43f0-840a-8fac4c0b9f19/
Parent samples :
197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70
bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
a6fc3d54528af98d4e971543db7f11f891d08269e288ad6822959c0a47665609
98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c
SH256 hash:
197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70
MD5 hash:
ab10a724cbc3c0b4d14b4dbdce3d43a7
SHA1 hash:
66832887ae994d363d6ba6f3e6ac4b625b9653d7
Link:
https://www.unpac.me/results/fed9d2a5-9a10-43f0-840a-8fac4c0b9f19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2044599/
Cape
Cape
https://www.capesandbox.com/analysis/241747/

Comments


Avatar
zbet commented on 2022-02-15 21:06:32 UTC

url : hxxp://198.23.207.112/300/vbc.exe