MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045
SHA3-384 hash: e34028aedfcb481bd87db8318d6912ad6ab383ca7841c0795130fdd9743aa678870f4d2819c49eda0ec64790472536c2
SHA1 hash: 36e49e9e443ccc82ac3c93cd4fdb995c2d118bdf
MD5 hash: e1622c2297eb663b2c1054ddc8f93659
humanhash: muppet-freddie-wyoming-aspen
File name:SecuriteInfo.com.Trojan.DownloaderNET.117.13478.2362
Download: download sample
Signature Formbook
Create hunting rule
File size:31'744 bytes
First seen:2021-02-15 23:55:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 768:TuifgfpPYi2+26kMPGSEILzB8oqlz/d+:TpYxQi2quSEIB8Jo
Threatray 3'782 similar samples on MalwareBazaar
TLSH 87E2F7A9BADD8993C02A7F7A50673721033EA2D37DA28D077ECEC293B4115C65D09B47
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Re Order.doc
Verdict:
Malicious activity
Analysis date:
2021-02-04 06:57:16 UTC
Tags:
trojan exploit CVE-2017-11882 formbook stealer
Link:
https://app.any.run/tasks/39cca620-7f57-4af9-ba94-bec0ee8c6c1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117257/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.117.13478.2362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608542
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 05:24:46 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73
Formbook
0fbe3e570e7074462b9c44528e6a1a3e9a4d02775acf4e9877f4f3ac87cdbd2e
Formbook
1ec5aeccf89c5d7a378e443e742e37f05a2aa7cb71150ee0ca4876c6b37d7b4d
Formbook
3aa4e025334bf046fc081743e11b2706827f2f50dbe50d43909c63d3de90edfa
Formbook
5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6
Formbook
c848b9f81ec7dcc330cc57ede3482805ccad25143eac801f7f56fc5cc0ccace5
Formbook
d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35
Formbook
d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c
Formbook
+ 3'772 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210215-9t5e2bx82e/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.libraorg.com/nors/
Unpacked files
SH256 hash:
48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045
MD5 hash:
e1622c2297eb663b2c1054ddc8f93659
SHA1 hash:
36e49e9e443ccc82ac3c93cd4fdb995c2d118bdf
Link:
https://www.unpac.me/results/8a2bbac5-16a1-416f-adbb-4a3bc27bca82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 48afec636886aebdf7f0be7d5b9c034f2568b890215a15f13554933d94322045

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011596/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117257/

Comments