MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33
SHA3-384 hash: 00af909f238610482fe8bde04db3789079a3b6d00128912fafa9ddfe2f1e4889821d091ce23567aedeabfa48ada6d6db
SHA1 hash: 3d4dc73fee1b191c2b942e28920c37c82d38b0ed
MD5 hash: 7e26e87ab642008d934824d509559859
humanhash: sixteen-one-beryllium-alanine
File name:SecuriteInfo.com.Generic.mg.7e26e87ab642008d.31908
Download: download sample
Signature Formbook
Create hunting rule
File size:552'960 bytes
First seen:2020-11-27 14:40:44 UTC
Last seen:2020-12-04 19:51:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:MiUO3Iy0AZNVNpiWbYOoa09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxZ:InULziIYpaIFq
Threatray 3'071 similar samples on MalwareBazaar
TLSH 10C4BFD7E6450442EBE12931EA6ACB720B12AD3F5580484B01F67C373FDD663E427A9B
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105824/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549437
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323829 Sample: SecuriteInfo.com.Generic.mg... Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 45 cdn.onenote.net 2->45 47 www.xn--mgbaht9hj11byu.com 2->47 49 g.msn.com 2->49 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 8 other signatures 2->61 11 vlc.exe 3 2->11         started        14 SecuriteInfo.com.Generic.mg.7e26e87ab642008d.exe 1 6 2->14         started        17 vlc.exe 2 2->17         started        signatures3 process4 file5 71 Injects a PE file into a foreign processes 11->71 19 vlc.exe 11->19         started        39 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 14->39 dropped 41 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 14->41 dropped 43 SecuriteInfo.com.G...87ab642008d.exe.log, ASCII 14->43 dropped 73 Tries to detect virtualization through RDTSC time measurements 14->73 22 SecuriteInfo.com.Generic.mg.7e26e87ab642008d.exe 14->22         started        24 vlc.exe 17->24         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 19->63 65 Maps a DLL or memory area into another process 19->65 67 Sample uses process hollowing technique 19->67 69 Queues an APC in another process (thread injection) 19->69 26 explorer.exe 19->26 injected process9 dnsIp10 51 www.theaterseverywhere.com 74.208.236.113, 49750, 80 ONEANDONE-ASBrauerstrasse48DE United States 26->51 53 www.privateinvestigationsanjose.com 52.58.78.16, 49758, 80 AMAZON-02US United States 26->53 75 System process connects to network (likely due to code injection or exploit) 26->75 30 msdt.exe 26->30         started        33 wscript.exe 26->33         started        signatures11 process12 signatures13 77 Modifies the context of a thread in another process (thread injection) 30->77 79 Maps a DLL or memory area into another process 30->79 81 Tries to detect virtualization through RDTSC time measurements 30->81 35 cmd.exe 1 30->35         started        process14 process15 37 conhost.exe 35->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 13:42:18 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d6b4c596e189a78ffd872bffe908aaf27f74f6c36dddfd50b517f9155c0938b
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
33ed25d4d86367d8f1026cf26cde357baf28faefe7cfe2f01719a0d2865a4ece
Formbook
3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380
Formbook
52a6c71e63ed3857be2fa0fb314ce631820994fb7e852fb66bca923efbee2380
Formbook
620ae1d3eb33c1af2241a3a28a2a91da72d8579c8a722ed1c3b4072b4f33a56f
Formbook
82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2
Formbook
8bb7375d1d8c2236d2a43e413209831ab50f8599eabdc906143ba7742425fb0c
Formbook
a4cb0f9cc73c9dda17e2c27e0c35cec8b5f58d08910f4ad237814f8f3a9b3723
Formbook
bbb95e154a42908b2bbb1797d8b6178343b7c084158183f628b5c4bf3fe5ac7d
Formbook
+ 3'061 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201127-e8jbhcl88j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.daughter4hire.com/gwg/
Unpacked files
SH256 hash:
3fa828fc57b0ed258379bed857474d15235423d35ef8bf2da50faadcbbadc09a
MD5 hash:
15ed7d72484754230d76363c266002fd
SHA1 hash:
43d22dbdcdb944a399dd4898135c265e34f1a036
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec32fbd5-4c4d-45da-bd67-f33a34354e71/
Parent samples :
3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33
d809df216f28368e1bc3de96702139476f8f2364d2d6e82dec7a540815bc83c0
a4f5a8852abc7539b9c0ee7ff8124c53a1583084f5d869b9ff127c9e9561e1d2
SH256 hash:
c36b38bb0d0671ae8b9133f2c0ec47b108afa58d234ec8a305a1dc23a3806bf6
MD5 hash:
e4f0645d9da6b46cd2cd9cd224ef8664
SHA1 hash:
b3b64478782c87e57fa74f7ef8e9535752f4c662
Link:
https://www.unpac.me/results/ec32fbd5-4c4d-45da-bd67-f33a34354e71/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/ec32fbd5-4c4d-45da-bd67-f33a34354e71/
SH256 hash:
3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33
MD5 hash:
7e26e87ab642008d934824d509559859
SHA1 hash:
3d4dc73fee1b191c2b942e28920c37c82d38b0ed
Link:
https://www.unpac.me/results/ec32fbd5-4c4d-45da-bd67-f33a34354e71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/860333/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105824/

Comments