MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47795e947ae1864d553396ae7b191c6c507f2e5e50ced435018906c43f2364e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments 1

SHA256 hash:	47795e947ae1864d553396ae7b191c6c507f2e5e50ced435018906c43f2364e5
SHA3-384 hash:	62fd8127d98811ab7b7d35d8008d7516fc211569dd0d4bce1c377e5a5378ea6417b55d8f0fb2357297fd7fa3f35045d3
SHA1 hash:	cf47737b8783d2aea099151e9de4d7e99c8d97b8
MD5 hash:	3865c28dc1c2be2176865bdbee3aef15
humanhash:	one-four-cardinal-sweet
File name:	SecuriteInfo.com.Gen.Variant.Androm.29.12667.1300
Download:	download sample
Signature	Formbook Create hunting rule
File size:	231'609 bytes
First seen:	2021-05-11 02:50:22 UTC
Last seen:	2021-05-11 03:00:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:L9X0Ggv38quELaK2V+hieISYkrNs+04IFozG:l0VP8qRLahh4YSNs54I+zG
Threatray	5'173 similar samples on MalwareBazaar
TLSH	723412A37B40E8ABC96A07B01E769797DFE2E1005A3947C723945F4C6E63B411D1F2E1
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/154649/

Detection(s):

SecuriteInfo.com.Gen.Variant.Androm.29.12667.1300.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/778099

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/47795e947ae1864d553396ae7b191c6c507f2e5e50ced435018906c43f2364e5/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2021-05-11 02:02:27 UTC

AV detection:

22 of 47 (46.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i54v5fd24gde2vjts2xhwgi4nrih6ls6kdhninibredmipzdmtsq._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461

Formbook

49418af33201289e66136b482386db29a68e32c689f0b625eed3699b8bb45940

Formbook

5313ca84959a3d88973ad5b85acc66e268c3e8874d5d6f21fcd4a4c1a7628496

Formbook

78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c

Formbook

859db52a7e6fdf6f93350d27b7917853b8b88a2536721328ff60a98f59a93b91

Formbook

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

Formbook

b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853

Formbook

b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2

Formbook

e47fa9824fd9f5f8e8b42fb02f53cfbf57b7c784d54c9e76ed247a9d297835cf

Formbook

+ 5'163 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210511-racp9dthfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.knighttechinca.com/dxe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gamarue

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47795e947ae1864d553396ae7b191c6c507f2e5e50ced435018906c43f2364e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/154649/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 02:59:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process