MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178
SHA3-384 hash: f28e60b0dce216b02464d1506d551f1fd0db9c67348f766dc23f1d0df7621ea2846fc700cc1faacb16808a304ac8b0b7
SHA1 hash: 2ce9180ab6ea128c370d0e0a019d68a0bc9db0bf
MD5 hash: c5415a264543582dbe02dddefe099636
humanhash: happy-april-wolfram-pizza
File name:rro4665321.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:321'327 bytes
First seen:2022-02-24 09:16:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:TxDtuBCR5ZRw2mB2lLNbtEl6dNFZv7I/Jk6ZcpMNj3AODMucQH3b0M05SP18l:CORpWcZvAJk6ZzjdM5YbB1g
Threatray 13'602 similar samples on MalwareBazaar
TLSH T12564124A66D8C03BFB4A477A1F773FF6E7B59116813A12DF47841F2E0A661C229C424B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0023022022.cab
Verdict:
Malicious activity
Analysis date:
2022-02-24 07:59:46 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/3a3542f7-647b-4cf5-998e-3c3566d29e39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244220/
Detection(s):
Win.Malware.Fragtor-9939961-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62174d37a6f52d32f17f5b91/reports/9dcad22f-bdcc-42b0-adf8-6300c94c1d4b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1baf87a4-fc08-478c-b769-5050e53e56aa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945521
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577998 Sample: rro4665321.exe Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 11 rro4665321.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\lpdnk.exe, PE32 11->31 dropped 14 lpdnk.exe 11->14         started        process5 signatures6 63 Multi AV Scanner detection for dropped file 14->63 65 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->65 67 Tries to detect virtualization through RDTSC time measurements 14->67 69 Injects a PE file into a foreign processes 14->69 17 lpdnk.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.londoninbd.com 20->33 35 www.lightofcg.com 20->35 37 londoninbd.com 34.102.136.180, 49783, 80 GOOGLEUS United States 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 wlanext.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 15:00:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgs7t7lsi5l3hkqbqm6gr6d67w4odepdmmbshepmrfnb3b64wf4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0030293612e1420d3d979e1ae8eb222cc8bcd7e357e1e5c0c3121c6218fa35be
Formbook
0e3dc9a9c08c1dadb1cb920c7d32b7f9fee978460a15f8459a4cc12c98c6e7cd
Formbook
0e60ab02aa9936b071370ea4d7163f77da68cc6eedb562016311e53f67502405
Formbook
4b11b45c019f5c15f5568d5c1258cb1cb077aaf59bdff581e5efc280047f62ab
Formbook
50771a013c968d61b8e3111da3cb205f1d8878031c63bdbaaddaa87308a3e290
Formbook
5cd0836a13fa804b548a110f168438da7dffd9c4fb5cc0036241f57bd7c5954d
Formbook
8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
Formbook
945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5
Formbook
99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b
Formbook
f57e89942735ce5ecf194ff7161c0c4419b989ce4ce5bed6a8c752315029ecaf
Formbook
+ 13'592 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r1e3 rat spyware stealer trojan
Link:
https://tria.ge/reports/220224-k82gjacfa5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
622ae9ea78c205254faff324645e296624527e16745f406d2f675b510acfbceb
MD5 hash:
f0e3b1646c0fa07ed6b3d18ddbc771a5
SHA1 hash:
856e4d43ba82e77b4c831f162788e100cb31beb4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/08dfe305-acf2-4fa3-a23f-6ee6bdbfaeab/
Parent samples :
b1623f58bfe1b81afd809e8b60a395ba2bcbe9c15b67ccb1938bd21172a586ba
29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178
09e3f4ef9fdeaf20b19ba8e36c342375f61458f226ccc5a857b055321bc5ab89
SH256 hash:
938504b0f3602280266611a5e9a085b663f4ed997105e16ee8dc24e4cf7cfe74
MD5 hash:
0487214b08253d04d95e1e20445d275e
SHA1 hash:
bd0d84a22640ba2bf354fa840706f919afc7871c
Link:
https://www.unpac.me/results/08dfe305-acf2-4fa3-a23f-6ee6bdbfaeab/
SH256 hash:
29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178
MD5 hash:
c5415a264543582dbe02dddefe099636
SHA1 hash:
2ce9180ab6ea128c370d0e0a019d68a0bc9db0bf
Link:
https://www.unpac.me/results/08dfe305-acf2-4fa3-a23f-6ee6bdbfaeab/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/29a5f9fd7247/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 29a5f9fd724757b3aa01833c68f87efdb8e191e363032391ec895a1d87dcb178

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/244220/

Comments