MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9
SHA3-384 hash:	54a83521467a476e6d078c3832dff01bc660a5a9534d7b811a77951409008749f8f0e955d9dae2b43fe7110ba2c296f2
SHA1 hash:	07ce5676f25e8f8203f05a93b678b2a1f7380a71
MD5 hash:	c876922432dd36f0f5fc23482177cf06
humanhash:	december-seven-kitten-alanine
File name:	c876922432dd36f0f5fc23482177cf06
Download:	download sample
Signature	Formbook Create hunting rule
File size:	455'680 bytes
First seen:	2020-11-17 14:09:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:tbRWwpSsMBHkBkmJVAdMSYdfX3OzWxySPl48+SDr:tSk0MSWX3Oz+948+k
Threatray	478 similar samples on MalwareBazaar
TLSH	8AA46DB73D52687ECA6F0675056684C1FAB213CB3F908B0DB19F830C0E15A5BAB67617
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a process from a recently created file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a system process

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9/

Threat name:

ByteCode-MSIL.Infostealer.Tepfer

Status:

Malicious

First seen:

2020-11-10 00:37:15 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ivh5hrt4jzywyi5ujziqcxjggbtpskas3ilpj3rstm5wnrnsldmq._file

Verdict:

unknown

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook agilenet rat spyware stealer trojan

Link:

https://tria.ge/reports/201117-eaa9jlrls6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.homepatioproducts.com/5bs/

Unpacked files

SH256 hash:

454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9

MD5 hash:

c876922432dd36f0f5fc23482177cf06

SHA1 hash:

07ce5676f25e8f8203f05a93b678b2a1f7380a71

Link:

https://www.unpac.me/results/7fbdd8e0-3606-4f05-84fb-25e8a2f9b777/

SH256 hash:

b2daba8bd9bd8180b3a3f99be8b5c5341cf5393d09c3975eaf8cc25fd6c004fe

MD5 hash:

157dbc7d2a3ff1c46eeddea60af1a3b4

SHA1 hash:

4c501dec940f11fb180224faceff33617f5b98f4

Link:

https://www.unpac.me/results/7fbdd8e0-3606-4f05-84fb-25e8a2f9b777/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/7fbdd8e0-3606-4f05-84fb-25e8a2f9b777/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

e013aa026760e07a1b5228b7f15c7dae66132740ef699987014048198c081c8c

MD5 hash:

e9998e8219e9a4f264339686df8867b5

SHA1 hash:

f1758c788a7895eb920e9169e1274ddc327f808d

Link:

https://www.unpac.me/results/7fbdd8e0-3606-4f05-84fb-25e8a2f9b777/

SH256 hash:

bf052c40bcce92be0338d610b05a6c4158eae99bd3bb6d9b0fcb8764689d1550

MD5 hash:

0a4b3da03eb4e488c99981914db0f4f4

SHA1 hash:

262a4c66c52c1e3ea834adfded72e587939d0def

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/7fbdd8e0-3606-4f05-84fb-25e8a2f9b777/

Parent samples :

454fd3c67c4e716c23b44e51015d263066f92812da16f4ee329b3b66c5b258d9
db99a2696513030143db7f8620f68a5088188f95629b408b1110cf0689c8746e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample