MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895
SHA3-384 hash: 9d435b303b79e0d980b0383e094db72e5f23e306d394edc715eb5735d987069a02c509c8bf68d417209d5cb4875ec6da
SHA1 hash: bc44d3c72f8ed8225a522acdede03ad9759d879f
MD5 hash: d61989608bebc11c9bd867ebffae126e
humanhash: venus-skylark-lima-idaho
File name:d61989608bebc11c9bd867ebffae126e
Download: download sample
Signature Formbook
Create hunting rule
File size:695'808 bytes
First seen:2021-09-07 10:58:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:VEFJLgGQYLNDJKF/LnGN+pUW6wNlhPPevXiwb56+DQWNYGQTtqUfRpJ:D0Qxdzud6+DQkYXcUfR
Threatray 9'223 similar samples on MalwareBazaar
TLSH T17EE42D3E18FE23279176C7D5CBE48823F6C498AF3133A965A7D747664316A4634C322E
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
famz6.doc
Verdict:
Malicious activity
Analysis date:
2021-09-07 09:56:54 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/c12879a3-7880-4e03-a718-448f27f8d573

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186002/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.43380.8566.27495.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b1e72a4-ae5e-45b7-8a44-525d9e7888bd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846539
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478970 Sample: 24RV5wW4FY Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 31 www.jenkinsinternationalllc.com 2->31 33 jenkinsinternationalllc.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 24RV5wW4FY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\24RV5wW4FY.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 24RV5wW4FY.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.gremioelitecol.com 18->35 37 www.blogcamisetasdefutbol.com 18->37 39 3 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Uses netsh to modify the Windows network and firewall settings 18->51 22 netsh.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 10:46:50 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fd4759551d1a32568250aac71951d0eec9d673e205644a45e9cbf2192de2c40
Formbook
24de2bd743d1e6a100fada5dfaf51f9853a52be639eb311aa71b3a42e0a51a92
Formbook
37f6df44b9dd38408fe5682c6d660eceb04a2915b3420576afce05bf3076bc01
Formbook
8d1770889689f693a9029f4f36a590297a38ef96cf606fa0b9cfd6a981b547d0
Formbook
938bf878a5a507a424718a7302d55d36c1ae58fcf571c5da0a6a4a136ee0f736
Formbook
c0447d2efa01433e46c26f66e24b9d35fa30c19c13667dc4867c478b71bb95d5
Formbook
cb63132b863557beac43df88e49f48fad74a31758a8a95f34ea14c6e00c9b843
Formbook
d12401aff6e577ad268923a0310d09931870ad0f5c557245376ca0487e4be96d
Formbook
f658ac4fbbbd6c505cba225df9a6d177ba3de7d4a12a034df4ef17ae288cf069
Formbook
f9dc7de32eb824444dce368b02ff4f6648fc7d01059a04b8a3d2ce8092f1c0ce
Formbook
+ 9'213 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fzsg rat spyware stealer trojan
Link:
https://tria.ge/reports/210907-m3d56affdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.gremioelitecol.com/fzsg/
Unpacked files
SH256 hash:
3093c0185ec13c081056eaaf9e677d8f0b1f4c942300aa1784f91e9bc774053d
MD5 hash:
0ea33e6c311a169d7fed4b991f60b8b0
SHA1 hash:
4d62cf0c44ec734e6df1e0a739e6f103941422a9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a493165-8f56-4d3a-abaf-9a24a6c22505/
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
Link:
https://www.unpac.me/results/5a493165-8f56-4d3a-abaf-9a24a6c22505/
SH256 hash:
2119ddefba8b6f63e28b7d255396efbf3d758f646af3000a55a9156795c1ca1e
MD5 hash:
4d758f5d2b28ffe6dd3ed309f175131f
SHA1 hash:
5fa86882212dc2abbaa22b99e542a4a5801c0454
Link:
https://www.unpac.me/results/5a493165-8f56-4d3a-abaf-9a24a6c22505/
SH256 hash:
1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895
MD5 hash:
d61989608bebc11c9bd867ebffae126e
SHA1 hash:
bc44d3c72f8ed8225a522acdede03ad9759d879f
Link:
https://www.unpac.me/results/5a493165-8f56-4d3a-abaf-9a24a6c22505/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e6b5d62edf2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1e6b5d62edf242fc7f24dbfa6294f9bf7e34ae7b1222a274b8c5b68ce79cc895

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1599299/
Cape
Cape
https://www.capesandbox.com/analysis/186002/

Comments


Avatar
zbet commented on 2021-09-07 10:59:00 UTC

url : hxxp://fantecheo.tk/famzlogszx.exe