MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
SHA3-384 hash: 16fcc257df79481aabb0f0553c9a83dad7ce6fb469222e3a5c99145d140339df2996989f66ea51c3dace20b25cd66735
SHA1 hash: 13825d15fcd4bfdef7bdf545a68a34e07a5366f4
MD5 hash: 0ed632ca837fc68c85c6bb16651af7a0
humanhash: utah-michigan-tennis-jupiter
File name:1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
Download: download sample
Signature Formbook
Create hunting rule
File size:2'230'480 bytes
First seen:2020-11-03 10:09:05 UTC
Last seen:2020-11-03 11:57:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Htz/FfrcT+awHKB4rx3eL8TxThiLdjVOejeYYPcmi9T1qjuI+WC0iIyL8sXvqb/w:38
Threatray 5'295 similar samples on MalwareBazaar
TLSH 6DA5593D6E9826E36173E676A0F60187FAE865C673781C4B42C33B58294AF063D9734D
Reporter JAMESWT_WT
Tags:FormBook

Code Signing Certificate

Organisation:DigiCert Assured ID Root CA
Issuer:DigiCert Assured ID Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 0CE7E0E517D846FE8FE560FC1BF03039
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82005/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519041
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308621 Sample: z6q89IwPnW Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected FormBook 2->40 42 4 other signatures 2->42 10 z6q89IwPnW.exe 1 2->10         started        process3 file4 28 C:\Users\user\AppData\...\z6q89IwPnW.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 z6q89IwPnW.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 natilcorretor.com 179.188.38.220, 49733, 80 LocawebServicosdeInternetSABR Brazil 17->30 32 www.natilcorretor.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 21:43:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
Formbook
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
Formbook
37c41a797e70fef4120a5175d93835738ed9b9b85e24c912d61c7e1f96265f51
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
Formbook
a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25
Formbook
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
Formbook
c41015f034cca2ff33ce96e08ddb477a92a3fff678bd8e78a78d96bf69e613f1
Formbook
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
Formbook
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Formbook
+ 5'285 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201103-nm86s11gge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.a1aphysicaltherapy.com/ri6/
Unpacked files
SH256 hash:
1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
MD5 hash:
0ed632ca837fc68c85c6bb16651af7a0
SHA1 hash:
13825d15fcd4bfdef7bdf545a68a34e07a5366f4
Link:
https://www.unpac.me/results/421c98b9-7b3b-4c13-923f-204500045582/
SH256 hash:
6bc2db131b9b104a85b1a4511bd76d31cf5c57ac1fba9383a954ae72df43be6d
MD5 hash:
9d1b2656e8d95d6d284de8e41b0b8d17
SHA1 hash:
98a2b494c7ae8e9b705c219148e08f0cb0b56420
Link:
https://www.unpac.me/results/421c98b9-7b3b-4c13-923f-204500045582/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/421c98b9-7b3b-4c13-923f-204500045582/
SH256 hash:
c7f102558506e1664af6c1781909964d377e909a3a276aade19843fde51bede4
MD5 hash:
588e4bb830687dccf91884fb5ef122ca
SHA1 hash:
5408f418e569738550a26b9e2810cb0df7a4de9e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/421c98b9-7b3b-4c13-923f-204500045582/
Parent samples :
1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82005/

Comments