MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29950580b2173e3b03525a667160b3513b713a0c69c5245aa2f4d81383f0a27c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29950580b2173e3b03525a667160b3513b713a0c69c5245aa2f4d81383f0a27c
SHA3-384 hash: 840d8485c2916b34756c8d686c32a37790ec064bc07000a963637118f8bf73d9e4f5ff6b78e5a5242729dc88cb360d0c
SHA1 hash: f4e8f435aa1183f0aa139b4d26a35961e2129661
MD5 hash: c707c502e44aaadc62792fef2386cf49
humanhash: network-north-pennsylvania-december
File name:contract agreement letter.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:246'215 bytes
First seen:2021-08-04 15:25:17 UTC
Last seen:2021-08-04 16:08:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d8dda11e9d039cb0a1c2e717bdda6d64 (5 x Formbook, 2 x Loki)
ssdeep 6144:B3bpKRYvi8h5SDUaYMZH9729FSg2hdhrM6aA:Bt5viEFzMD2VKMpA
Threatray 7'310 similar samples on MalwareBazaar
TLSH T1B034024231119A2CE42260334EFD5D9E559EA3A01F0E70C796DC685E6B77BF6BE3108B
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
contract agreement letter.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 15:27:03 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/81efde3d-4912-4185-b813-901888a8fb81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176389/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.54397.14064.26504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc9b49d6-bdc7-46c2-8edd-7a7d03f988dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826980
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459409 Sample: contract agreement letter.exe Startdate: 04/08/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 8 other signatures 2->43 10 contract agreement letter.exe 2->10         started        process3 signatures4 51 Maps a DLL or memory area into another process 10->51 13 contract agreement letter.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.statepenrecords.com 172.67.203.97, 49769, 80 CLOUDFLARENETUS United States 16->29 31 www.ofix.online 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 svchost.exe 16->20         started        23 autofmt.exe 16->23         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 25 cmd.exe 1 20->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29950580b2173e3b03525a667160b3513b713a0c69c5245aa2f4d81383f0a27c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 13:13:26 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgkqlafsc47dwa2sljthcyftke5xcoqmnhcsiwvc6tmbha7quj6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
Formbook
3b6134b61b84f0653135f7372c8fafe9dd0a35cd658a510de22b9dd9f8bf6257
Formbook
5e870c6ebc9666619f80ecb157b67de938fe42a7d17533d3705b5464923ff7f1
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
91677aa9196e065f40cebb6b50c95524f24161a45436469568954d2bc5d9903c
Formbook
9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4
Formbook
a3703cc485d2a99cfec122203ed2d7dd83274af8bd0b3bcfab3fd590dd5c308c
Formbook
b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2
Formbook
b8ad131dedee5c7f3164a25f907a69c6f90632f901ecf50a61aa7e31b4c8334e
Formbook
+ 7'300 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210804-q9r4qamrje/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.emilysgoinggoingjohn.com/n6ma/
Unpacked files
SH256 hash:
4d820ff476705f0d1890a202a5953ef363a27ecff8823fcbbc5a50f315ad5ec6
MD5 hash:
c55d6c1ce9a84c6b7ec4c5f9846e6b3d
SHA1 hash:
b7d9d8d2a4059bc635dfa31b9c4d0b212213c272
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c04ae0bd-af66-4d90-83eb-66c2b80ba34a/
SH256 hash:
29950580b2173e3b03525a667160b3513b713a0c69c5245aa2f4d81383f0a27c
MD5 hash:
c707c502e44aaadc62792fef2386cf49
SHA1 hash:
f4e8f435aa1183f0aa139b4d26a35961e2129661
Link:
https://www.unpac.me/results/c04ae0bd-af66-4d90-83eb-66c2b80ba34a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/29950580b2173e3b03525a667160b3513b713a0c69c5245aa2f4d81383f0a27c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/176389/

Comments