MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d
SHA3-384 hash: 034a9170b231aa3c293d91a0d4245d764dc65e28a0c6bf7db3f600ff480a51c10e714a88013076cddf5e627f77957801
SHA1 hash: 99d9fa2fc2721ce77c83f57415c1d18ff3e7fc2c
MD5 hash: 778ae4319d1ec2798e51ca69f0be2e30
humanhash: fruit-social-georgia-stairway
File name:126-21-11HAR.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'120 bytes
First seen:2021-05-03 08:12:59 UTC
Last seen:2021-05-03 09:11:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+XVaisd9r0HJFVm0DtVxizbuG+BEVKeCRYIH9suW5d459b5hwFVR7MLYy:+X3svIHJ/mqhizYmVxC6IMs59t67oh
Threatray 4'922 similar samples on MalwareBazaar
TLSH 12F4127833E48218E43E57766835124127F6B005CE53F32FAEA862796E73B52C7117AB
Reporter lowmal3
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148311/
Detection(s):
SecuriteInfo.com.Malware.AI.1182150101.12586.30318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707378
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402609 Sample: 126-21-11HAR.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 7 other signatures 2->52 10 126-21-11HAR.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Local\...\tmpEAF7.tmp, XML 10->34 dropped 36 C:\Users\user\...\126-21-11HAR.exe.log, ASCII 10->36 dropped 38 C:\Users\user\AppData\...\BuNOnvYKjNYU.exe, PE32 10->38 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 14 126-21-11HAR.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 126-21-11HAR.exe 10->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 40 www.punkyprincess.com 172.255.208.73, 49734, 80 LEASEWEB-USA-SFO-12US United States 21->40 42 www.playsystems-j.one 66.96.162.136, 49738, 80 BIZLAND-SDUS United States 21->42 44 www.usaleadsretrieval.com 21->44 54 System process connects to network (likely due to code injection or exploit) 21->54 27 wscript.exe 21->27         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 27->60 62 Maps a DLL or memory area into another process 27->62 64 Tries to detect virtualization through RDTSC time measurements 27->64 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 08:13:06 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkvhy7enf7mlxij4fjvfdxdq5shjlsy265wuorcuwgoullkbj5gq._file
Verdict:
malicious
Similar samples:
1b8900c6d6fef0ae6e5d73dc10214310f106f786274098e2fb80b219b257c215
Formbook
5386335debe7df955f9f8cf8e2fa0d5d482b197a3e24c59b0197eba5bf3d28b4
Formbook
57605921f72fd210ec256ed3010b59d111c6d3b9e49b9e830e06d6bddce83db4
Formbook
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
Formbook
8aabfb2b5aeee025f4a6d963c8761011efb74797e37ee89fd37ae5c23f7f2945
Formbook
9f1090c3e94e75b134c1aa55b5e8e2b6ac9b706cd27e0bb1cc44ef4b49f27c66
Formbook
9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389
Formbook
9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
Formbook
c2b8d66b59eabf04dadf3af98e03e6f3aad3f289e826852fabda188863eb679b
Formbook
ec265177529ab61116c59e3361436b6c4f9e48bbef4488d2d3a97ebdb2f9837a
Formbook
+ 4'912 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210503-escg8h3wka/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.kelurahanpatikidul.xyz/op9s/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/3f459bce-0ef9-4baa-9a31-ce9800553560/
SH256 hash:
3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d
MD5 hash:
778ae4319d1ec2798e51ca69f0be2e30
SHA1 hash:
99d9fa2fc2721ce77c83f57415c1d18ff3e7fc2c
Link:
https://www.unpac.me/results/3f459bce-0ef9-4baa-9a31-ce9800553560/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/148311/

Comments