MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519
SHA3-384 hash:	5dcd220ea8e92a89736925003e8b1f49e76f75a0c9d5cf903c4780b77ee1d8453e806046faba4b1ae12929c43763bf8e
SHA1 hash:	2b616ea940151616e4bf3dd1dfebc1ce1e67166a
MD5 hash:	42c9b109947565bb6a7b8f314468af19
humanhash:	spaghetti-jersey-saturn-kitten
File name:	Shipment Document BL,INV and packing list.jpg.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	758'272 bytes
First seen:	2022-02-22 07:25:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:hYdSpuu7l3sHPCNH22qla5w/yXbxlih5tndgnyBQyGf+v2aPkmQQ1v+J4bBG:GCuYl8vCNH0MW/IbxlUndgnyBQyGf+vu
Threatray	12'022 similar samples on MalwareBazaar
TLSH	T1D3F48D48D7565AC5E8E54A7985FA5B112750BAB18DCBC30772AC253ECABF3B43E4028C
File icon (PE):
dhash icon	69d4b26868b2cc71 (23 x Formbook, 6 x SnakeKeylogger, 2 x AgentTesla)
Reporter	cocaman
Tags:	DHL exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/243146/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62149017875593a3cc013454/reports/313d0496-eba1-4890-972b-d32449e5500a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8000fe59-c366-463f-a044-b170d9a276e6

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943692

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Costura Assembly Loader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-02-22 03:47:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 42 (64.29%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i2vjrgmebjrndxmtyx7w4lwurhkackiljzp7dv5wkygktt4fmumq._file

Verdict:

malicious

Label(s):

formbook

Formbook

8eedc524cbcf57998c67472c72d0db19becad221e770bea32486deb9661d3fd4

Formbook

8f0a372287ebba19a62630d683fc3292df06a10faeaed2ac68cde0c5b2374844

Formbook

e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b

Formbook

e29100d2ecddd199e9b4b40d094b36f7a67981393cf3f58cfacabf91e3dd7eed

Formbook

+ 12'012 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:f1s1 persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220222-h9k5tseag8/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Formbook Payload

Formbook

Unpacked files

SH256 hash:

874edfe2badfeb0324824d9e91328b7fb0e30f92dffc508ac7ec6cae45044c96

MD5 hash:

aa4a9e73fb8f03161b46171295cdd411

SHA1 hash:

34905e428b64be6482cf8454b17c6629f31e02ef

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f26d1c0b-e4f5-4609-845b-f18cc36698c9/

Parent samples :

0a4ebd7a3922a03ec0c6db580671714e2318e997af1f6613ede7471d4d81f0ab
2af06422e62704ac3eb70a7ce1b5fa08d5a2f0f0bb71b604298aedc24e256f56
46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519
951abf2f4116821009369b593b8b56f353bb6176e7574b44fcb448eaea6515db
69e2e974e72cad787eefb413d7a2cec8bf4f71365ac46093556a8362e9ada553

SH256 hash:

9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

MD5 hash:

9fbb8cec55b2115c00c0ba386c37ce62

SHA1 hash:

e2378a1c22c35e40fd1c3e19066de4e33b50f24a

Link:

https://www.unpac.me/results/f26d1c0b-e4f5-4609-845b-f18cc36698c9/

SH256 hash:

f6f9ae9bfdddb234189c37d7aeba90441fbd2df9807a868b28f9b55488a998a9

MD5 hash:

bca54e15009c0a450a4841967d448a70

SHA1 hash:

2107294ac6b8ad7af6677c1b0e368dd0be79398c

Link:

https://www.unpac.me/results/f26d1c0b-e4f5-4609-845b-f18cc36698c9/

SH256 hash:

46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519

MD5 hash:

42c9b109947565bb6a7b8f314468af19

SHA1 hash:

2b616ea940151616e4bf3dd1dfebc1ce1e67166a

Link:

https://www.unpac.me/results/f26d1c0b-e4f5-4609-845b-f18cc36698c9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/46aa9899840a62d1dd93c5ff6e2ed489d401290b4e5ff1d7b6560ca9cf856519

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research