MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
SHA3-384 hash: 4b44d18e1c10a91a5106fece7aa1bb9d460357ee14d29fdcc49e2ee35f3fe86ef250dfc1f7ed7e797d9b94454976ab42
SHA1 hash: 6596ac1216bf03d88482415755c499ed6388cab4
MD5 hash: b9bca038d7532ec8a1a9ba0e867061bc
humanhash: sink-aspen-march-minnesota
File name:mal.pif
Download: download sample
Signature Formbook
Create hunting rule
File size:605'696 bytes
First seen:2021-07-22 06:43:17 UTC
Last seen:2021-07-22 07:44:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NRzBs9vQVJ16RzfqfJ3druK3MfxoH6prHTdtqMVkhV8Rb:NQ9vQr147qfJ4nxxHTni
Threatray 6'729 similar samples on MalwareBazaar
TLSH T12ED4F1683258BBAEC57FEB79C5480C2067B0A123831FE786AC5751FD1C4D782CE66297
Reporter ankit_anubhav
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mal.pif
Verdict:
Suspicious activity
Analysis date:
2021-07-22 06:42:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/25702fd4-f5b0-467b-8311-e809d6242c99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173234/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14415.8579.13487.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b95a7438-efb6-4631-b5c7-2f876c8e717b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819963
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452374 Sample: mal.pif Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 10 mal.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\mal.exe.log, ASCII 10->28 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 mal.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.mybabytennis.com 209.99.64.55, 49741, 80 CONFLUENCE-NETWORK-INCVG United States 17->30 32 www.sarahcarver.com 52.58.78.16, 49744, 80 AMAZON-02US United States 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 control.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 11:09:46 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etmr63b5zljw2zpelaq5kifkvpbpjkd3wgvvcllia43xaegvnaha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
027b78bee3eb51a23c82c4e77891d530cc1fad22adfa3f52b0ed8b37e9afc3b4
Formbook
046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
Formbook
0c856e57da034a8943b4065297d075365090d9eb925abb7ba74dd3df9acefc1f
Formbook
1640d521a0e5aff2aeb9eb892c8b19d0897e22c73940c394a5cb12af271de6ec
Formbook
3a35df53c702f348d3693309c29fe3044d50ecf4be8648b787e74f79f5d2ceea
Formbook
5fb8b22a773eb50d70b1f58a72dd7903aa7162b40b64326c0a9985027943e083
Formbook
6f8582beb15fc9d7978cf5664d99f426efc02d3c95aba21cf47520a16dc5a831
Formbook
90d238a1c183586c60ffb6c1fb4786950483080240feca7fbf6d99ab98c64a6b
Formbook
c0f9927bbf25d29cc37936db7b00a09f94b23dcbec9103b77802891c49b9f4c3
Formbook
c51924bcaad1fd98393bd75c23f6ca084bfed8f346085520bf61b550f85a3fa4
Formbook
+ 6'719 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210722-2bczf9mp4n/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.trendtechpros.com/sm3l/
Unpacked files
SH256 hash:
4c0f37affc711c082c2f93b6fae1a82725125058cb268a44d057b3b7a44992b1
MD5 hash:
09f8e5df1fc282a76220046decc5ebb5
SHA1 hash:
743633e0e528679de4fb90e02d9d23133e39ccaa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6ed39bff-4c1b-43b1-ac46-4600b0bbee56/
SH256 hash:
051a04b115842c1e078f62b47a4d3e8826612cb1b68970d821da645d632b9aae
MD5 hash:
f28600d260669975d379d014878874f9
SHA1 hash:
db9b3332de7fb999d95f8c9c47635c0a304eb2a5
Link:
https://www.unpac.me/results/6ed39bff-4c1b-43b1-ac46-4600b0bbee56/
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/6ed39bff-4c1b-43b1-ac46-4600b0bbee56/
SH256 hash:
49e6a0f9461a20a5b41a5b1cc9f4afa33ef4ec0bb4ddb39e2aa241b655fa1a65
MD5 hash:
0ca0f0605033d19809ba0f8da6af8e1e
SHA1 hash:
8f5863037383d71037c0a8d98cc8d9e6a38711ac
Link:
https://www.unpac.me/results/6ed39bff-4c1b-43b1-ac46-4600b0bbee56/
SH256 hash:
24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
MD5 hash:
b9bca038d7532ec8a1a9ba0e867061bc
SHA1 hash:
6596ac1216bf03d88482415755c499ed6388cab4
Link:
https://www.unpac.me/results/6ed39bff-4c1b-43b1-ac46-4600b0bbee56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/173234/

Comments