MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd
SHA3-384 hash:	3479104191d8910fe6d92147cf4b615a437155baada85000744daa817ec800f637c4b3c51cc6d385543760fa6728f92e
SHA1 hash:	396c379fd25a09f327e74ac595b554ec01522d16
MD5 hash:	cb2f90f127deb8055bc861a7ef11cab8
humanhash:	august-table-butter-november
File name:	Bank Swift.doc.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	484'864 bytes
First seen:	2022-01-20 10:16:47 UTC
Last seen:	2022-01-20 11:57:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:YUYyYIogf+mMfLFDWX5R6L3oRrJubLYRU6S3qJoer7Q+iJ1wS7FQ12akfLZxyaA:cqJMzxQRAnYRuqJPcvrBfya
Threatray	12'789 similar samples on MalwareBazaar
TLSH	T116A4C007B6DEDA25C215A673C8EF400087B9AF81A513E70E3DD873BC192275B6A4539F
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/221028/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.36291.17683.3764.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi control.exe formbook obfuscated packed remote.exe replace.exe update.exe

Link:

https://www.filescan.io/uploads/61e936a4d32385db630e2e66/reports/d11566c8-7460-4f40-becb-54dbf429d8b7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f08ccf7-14d9-4f66-ad76-46a24941ee9c

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924218

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-19 18:08:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jljt3mqxzuuostubnwtwen262z3hidzb53qf6yf6o6c3e5tfz66q._file

Verdict:

malicious

Label(s):

formbook

Formbook

10ff5c8bac827b012bc5b6f789e7c23913b662453cd0bcc7f3f5192260d7a950

Formbook

4d14c4ae70e6eb6442b90dbc4308d180f43308e38112903c6afd33adf3e04ec7

Formbook

81dc0dc902eb39bef1ff536e63644fac0d6aa928a200718185aaa21c137c7458

Formbook

ba47d548d20732c621ab2fa56d5276a838de12667e1c0355bcf3dbb1466889b3

Formbook

ca205b38e2ee729d40141563bbb4200970224f4e00b380d5108a3ae51fb7eada

Formbook

d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35

Formbook

d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633

Formbook

f0748cd86f2648c4ff23611f87661ba89045039966eb9595c2fb4d046249e1f2

Formbook

f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363

Formbook

+ 12'779 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220120-mbc4sahec4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

46e09aa8f1d737799195f4baf4d4bc2c12f51d81656ccc3448f4d1af6b6e3e25

MD5 hash:

8b09b3046673f2354802096d6217e392

SHA1 hash:

50083ef5695b64704b4f50a7bf7a24cab5d746be

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/4790642f-bab9-4e95-a995-e40d12383624/

Parent samples :

719d886691ce91e7cbf30951199fb337e7ed2d1bae4c381a57da2d3802594be2
ba47d548d20732c621ab2fa56d5276a838de12667e1c0355bcf3dbb1466889b3
c0c29923af2f1b96665b03ba9ad6b7d68a0c1b8cfb4e42767656d9d3b0a5dec0
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
ed6f5a03bca21156bbdd4119ab88c31234eb1a3114552451a7d8af201279e908
07bed83b3f7c13154a148f82ceac3fe9f68a7995ed5a939e91427e611bfaa863
4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd
86fe5597dcc6944c5615838866eb7d68d212bc87200c9ea1a2e244755d8fe410
21e0f4a6f5733e2bfb4ba603957244392e641f596d9df3f6900d5efa5b895afd
ce80df3a4bc48726d4cb9365247b06678da7972d8473a159b1db32fb66f48a82
2bfa8e78bd3e83e2f442a4c560af71c366044893a85b15aff2f3d7d4c67636cf
d9fbe8e59e8dcf5231168ed35a3ad0c8c448eb888eca02c9b898d5961899e839
37381387ba545bb59dfd52eca6574b037020b32ffb1eb9d97419791ac6832b2e
4748460c7c757eda69a0340104939b382231567cf559315494901fe2b122900c
8b0d428152973c0f0bb8279f50524cbe0f2d809593fc6095bff2c29ab581fe2f
95bc06b53614e506be16b2ab8b0841e48fbb95796e86c2052e104d0a485a1b91
d65780164a77ce22c797194c56063b03c1c4975987604aa4a35184d62f0b068a
f35b19f498e527a1a8eca51ec82221c55c2f969efb59b2c0b6cff0f3e0e852f6
5c443a90ff238f83c70b95defcd8dc990289072c42e47ec7749905037add8040
799b39cfe67e2f5219fcdb37a5e82ab96e3456273b05d8ccf2eab60aa2ca6fa8
e5b723d9a13e6fec23839823866253128dbe758c31082616ca89cf55d35a3998
c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
a6d8e8caf01f8c13d014eb8b8bf7f55b453d7084d709efa0e98d43c8290feed8
d28d578ee53e1d9bd5eaad8bd5772098ad8909f8ccb3c22a47da9a53857637f9
bb2c94169afa24fc9d064b5fd6878c9547693eb917850844c417716ec5269718
fba3315dff9db2942ea64b91b77cf06855e83b1eed9199cfed679b08f65f9f69

SH256 hash:

cc1c9557d7f757bcee8c1b4ef35327494ee4c318e6b881d30d581b010c046c5b

MD5 hash:

c6b2e18a4555a617080f23de18892ff0

SHA1 hash:

837bdc4750b91394d8fe6cf85728dfc732715e66

Link:

https://www.unpac.me/results/4790642f-bab9-4e95-a995-e40d12383624/

SH256 hash:

b4ac4d7ba7186ec694909413e82b53f6c8ca0f9e6d7589bf845fd2537adc02d5

MD5 hash:

48fdc28d68a1266252369d80f8026b64

SHA1 hash:

6a92b0c78845a71c87d68c3ea758b7e20d7b4fcc

Link:

https://www.unpac.me/results/4790642f-bab9-4e95-a995-e40d12383624/

SH256 hash:

4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd

MD5 hash:

cb2f90f127deb8055bc861a7ef11cab8

SHA1 hash:

396c379fd25a09f327e74ac595b554ec01522d16

Link:

https://www.unpac.me/results/4790642f-bab9-4e95-a995-e40d12383624/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

33082ffeec501e6e83900d4a6e94a6e06f2f6d877cb63832a18241721d3f2148

Formbook

exe 4ad33db217cd28e94e816da762375ed676740f21eee05f60be7785b27665cfbd

(this sample)

Dropped by

MD5 3d9665ef3f83c9a4be320e209146d246

Dropped by

SHA256 33082ffeec501e6e83900d4a6e94a6e06f2f6d877cb63832a18241721d3f2148

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/221028/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample