MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa
SHA3-384 hash: abddf3cac3e4a65cc9c98e2d8893f6ba62202ba8e969b7b05bc9d57adb38f82f1284691c90e6a6a543809940d7dbc65b
SHA1 hash: 20bc0db2287859b2694d9e753376c2e0daa1609c
MD5 hash: f91409c3e5346d10be1d58f1234511fb
humanhash: north-virginia-wisconsin-oven
File name:80460894.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:516'096 bytes
First seen:2022-06-28 12:28:10 UTC
Last seen:2022-06-28 13:58:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:T+YGeOLuh4XwBMVEJP89TZ7qrSAtAB7vU:izeOLuh4AByTFdF
TLSH T183B412A106C4EB5AE232A7B32130007467AA67EF1C6EE99FDD81F5D91672FC0D1125CB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 00c0c4e4e4c4c000 (11 x Formbook, 9 x AgentTesla, 7 x Loki)
Reporter cocaman
Tags:DHL exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283935/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62baf414fb0f8ab808931c8d/reports/42b2edb3-d138-4e25-8ba9-6a703be3d37b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ceaa5421-4f29-4724-aaee-20867b53be34
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021192
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653684 Sample: 80460894.EXE Startdate: 28/06/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM3 2->36 38 7 other signatures 2->38 10 80460894.EXE 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\80460894.EXE.log, ASCII 10->30 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 80460894.EXE 10->14         started        17 80460894.EXE 10->17         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 19 explorer.exe 14->19 injected process8 process9 21 cmmon32.exe 19->21         started        signatures10 40 Modifies the context of a thread in another process (thread injection) 21->40 42 Maps a DLL or memory area into another process 21->42 44 Tries to detect virtualization through RDTSC time measurements 21->44 24 cmd.exe 1 21->24         started        26 explorer.exe 141 21->26         started        process11 process12 28 conhost.exe 24->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 10:34:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqfa3azgn5psrzygrxomzw5w4gsjlmcuhtv7sa53lqfmjfmghgva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:auh4 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220628-pnwsrshddj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
af40976e5ce3776a6eef45473ac5793d717d18ab0f0176572534b2873d43318a
MD5 hash:
667cc5c5511fe871e3b0872add9f989b
SHA1 hash:
1c9d8823e3fee6b3c34a65893af50cbb44f8b244
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
Parent samples :
240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa
9398819a8c024f06a4ff7c0ee671f4461dc701ec8bb7693b618c751449bd8439
def10ac7fe6828b49592e25748378c1b695e31b37c6beb66f52523ae3523d94a
ea29385606912e0d16cafcb9d40923e6ff36e47c265946fe39becbd5a9d29fb5
346ecaefae05b05fb5779e1131b246b148107821725a25062001bc0459c59406
SH256 hash:
0aa8ea56f670ef5041fe87ee1a27b6623c2cf7996ed489214aa076996ca40cac
MD5 hash:
faf84cab64260654988db2f9157f8f89
SHA1 hash:
e1e6ebeaf252c78e74c1355cdefc6a2c52cfab70
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
SH256 hash:
c84808d616cea3bce68c69fe377f0ee3bdb516a87b9832dac8d3da76cc12259c
MD5 hash:
3e66474d7b2aac2e9c99eb34a14b2855
SHA1 hash:
13ed533e4aacf1033937a149493c7794db259aa1
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
SH256 hash:
26e0ccac67207afbdd5a6c5f407a05876a459a89d41020330d5ecb9287ea983e
MD5 hash:
639426cbfb544ebf6477f09f07c31eb9
SHA1 hash:
02130bf5feafe64b19eea297c671bee9e810a3a2
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
SH256 hash:
240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa
MD5 hash:
f91409c3e5346d10be1d58f1234511fb
SHA1 hash:
20bc0db2287859b2694d9e753376c2e0daa1609c
Link:
https://www.unpac.me/results/e395da6d-9b22-4df9-8546-d4b772d77eaf/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/240a0d83266f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 5e59faa8bfdf982eb7830fbde567bbc876958e07b8d99024a6d6b91fa4006a70

Formbook

Executable exe 240a0d83266f5f28e7068ddcccdbb6e1a495b0543cebf903bb5c0ac4958639aa

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5e59faa8bfdf982eb7830fbde567bbc876958e07b8d99024a6d6b91fa4006a70
  
Dropped by
SHA256 2317f85355acc60147234dbb9be5417d26b9cb1f7270e069fe9ec07b83928bfb
Cape
Cape
https://www.capesandbox.com/analysis/283935/
  
Dropped by
MD5 925fff68a21f482c228dad429b4c46c5
  
Dropped by
MD5 fcdc41fc0cd539b052218190b0b0d148

Comments