MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
SHA3-384 hash: 3365df21be84f0b3273f9edd54ea0f57a4703ae17da5fc1a40692e1b121a6d002bba197958c65d9e72503e8b0a5c865e
SHA1 hash: 12d7244bcbf96d5a70cfe5f39271600a330334ac
MD5 hash: d4c958b5f69575622ab7559b07e7abe0
humanhash: ack-queen-island-thirteen
File name:d4c958b5f69575622ab7559b07e7abe0.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:379'392 bytes
First seen:2021-11-20 19:00:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:b9OWEVV2Kx3/chpL7dtp904YyVPp1Z48ufBV/m1F6est682ur:xEKKx3/QL7dLecxen16u
Threatray 11'831 similar samples on MalwareBazaar
TLSH T1A08413099DA59F15C0AA07F237701C1237F49A6F7A61D31C1EC064EADEAA78C1694F2F
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SCANNED DOCUMENT.doc
Verdict:
Malicious activity
Analysis date:
2021-11-20 08:16:36 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/81c61a51-a518-466d-a922-6d1d6fe260f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/619945bb359656727c9eb697/reports/1584c9cc-357f-48ac-bbdf-3ad943dcf9b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2605a1f5-0009-44ad-a421-da5d5d9cda2f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893150
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525623 Sample: 3pDZ5xkHyk.exe Startdate: 20/11/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 5 other signatures 2->36 10 3pDZ5xkHyk.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\3pDZ5xkHyk.exe.log, ASCII 10->28 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 3pDZ5xkHyk.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 cscript.exe 17->19         started        signatures10 38 Self deletion via cmd delete 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        24 explorer.exe 1 157 19->24         started        process11 process12 26 conhost.exe 22->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-20 09:17:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
418718725035504832c3febfb2372a9a5bb117d9811dcc67d1f290f8dd9900f4
Formbook
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
Formbook
b7602e7d309795640e020a679f93dfd3cb890bc9073a8ead233ab5323c6e0551
Formbook
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729
Formbook
f6c1dc28509953d4c7df0cd272714f2ba3de92f85b2ba90d071710580f1df635
Formbook
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
Formbook
+ 11'821 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ob7y rat spyware stealer trojan
Link:
https://tria.ge/reports/211120-xnpnfsgbh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.metanewsroom.net/ob7y/
Unpacked files
SH256 hash:
2da5a77c6251c64099055f36662277c298c83062c5c14dfdd5089319ce85a053
MD5 hash:
a766f9394fe7d0012da3ec32f533f081
SHA1 hash:
428115ad57dcbc26b22c151419509827f31882fa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c9b7c432-9cf8-42f5-96b1-252c9781f048/
Parent samples :
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
SH256 hash:
cc5c5860e83b708cd158454165cbeb714767119946049de5aa7677685be75c14
MD5 hash:
83cbea4dec6e5b64a85ee9b6f9ff7598
SHA1 hash:
5c1d12b792c32ba73b7bf2634da5e4d9fbcd7d4e
Link:
https://www.unpac.me/results/c9b7c432-9cf8-42f5-96b1-252c9781f048/
SH256 hash:
dd7b3b61004794868e33f313e157044b0187b36b58e057e8be57e657b248ce9d
MD5 hash:
9d47776a2cf575e7076dc2736461c6b2
SHA1 hash:
18d0145923269083c102ec4f4d36e9c382830831
Link:
https://www.unpac.me/results/c9b7c432-9cf8-42f5-96b1-252c9781f048/
SH256 hash:
25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
MD5 hash:
d4c958b5f69575622ab7559b07e7abe0
SHA1 hash:
12d7244bcbf96d5a70cfe5f39271600a330334ac
Link:
https://www.unpac.me/results/c9b7c432-9cf8-42f5-96b1-252c9781f048/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/207810/
  
URLhaus
https://urlhaus.abuse.ch/url/1797602/
  
Delivery method
Distributed via web download

Comments