MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee
SHA3-384 hash: fd9e51731cbacea82414c5c1f1fcfc3195c558fd7ab160044db29540d788af52d21d339eb57c7f49700137a9607dd439
SHA1 hash: 0bb6e51bbd66dfa5afacf3e12ab9789252f2ff57
MD5 hash: c4ee18d4a484321620bef6ddd00fc620
humanhash: missouri-mountain-seventeen-twenty
File name:PO082021.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:237'376 bytes
First seen:2021-08-24 01:17:08 UTC
Last seen:2021-08-24 01:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ef74f7b87fa15b6df54d064a5b8ef31 (10 x AgentTesla, 3 x Formbook, 1 x AZORult)
ssdeep 6144:qK90Si3cX/ljsdbhmuUhmA3gOETfcfmcb2pY:q50XidohmdOufcOcb1
Threatray 8'380 similar samples on MalwareBazaar
TLSH T1903402451E0CA60AD074843EA80F66BF41CE7FF5DC1F456BB79831AA1A7A3E0E52D911
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO082021.scr
Verdict:
Malicious activity
Analysis date:
2021-08-24 01:17:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6bbd62fb-c6ab-4cb1-b88c-d5edfd678e04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181673/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.26676.18040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
DNS request
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Connection attempt
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/202a3492-e45c-4a7a-8bd6-1267d7f4eaf2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837893
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470324 Sample: PO082021.scr Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 5 other signatures 2->47 9 PO082021.exe 1 2->9         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 9->49 51 Maps a DLL or memory area into another process 9->51 53 Tries to detect virtualization through RDTSC time measurements 9->53 12 PO082021.exe 9->12         started        15 conhost.exe 9->15         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 12->55 57 Maps a DLL or memory area into another process 12->57 59 Sample uses process hollowing technique 12->59 61 Queues an APC in another process (thread injection) 12->61 17 msdt.exe 12->17         started        20 explorer.exe 12->20 injected process7 dnsIp8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Tries to detect virtualization through RDTSC time measurements 17->37 23 cmd.exe 1 17->23         started        27 www.jamesmolloymakeup.net 94.136.40.51, 49719, 80 GD-EMEA-DC-LD5GB United Kingdom 20->27 29 www.cartooningmasterclass.com 20->29 31 cartooningmasterclass.com 34.102.136.180, 49716, 80 GOOGLEUS United States 20->31 39 System process connects to network (likely due to code injection or exploit) 20->39 signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 01:18:08 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6sgedyhl3liow4w3kggmeuh7qjmlbw5yusmqzvgqyngvffcnpxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a
Formbook
57605921f72fd210ec256ed3010b59d111c6d3b9e49b9e830e06d6bddce83db4
Formbook
7fe042e93ace8e9e3ac6c6b4f14847addc613c3c710a3e2bb63d36e4e188ec72
Formbook
8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d
Formbook
96f3a3030eeb072ca1872f376968f3d0515af0c3aba21a1a1f77625ee1af1632
Formbook
98f8f84dbf9e3a4462066c94e447ba3bdc6bc3d0119511e8c6d6cea0234f885c
Formbook
e242d70710f47daf819f4dec74264d265efd80a1aa12eec27c0ac20715670923
Formbook
ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
Formbook
f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Formbook
f8c3b9a8f01e022158ef5f9bc6d69287b6b03ce5527f7ac911de25dcdc016569
Formbook
+ 8'370 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:zizv rat spyware stealer trojan
Link:
https://tria.ge/reports/210824-psjqy92da6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thekalimasigroup.com/zizv/
Unpacked files
SH256 hash:
4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee
MD5 hash:
c4ee18d4a484321620bef6ddd00fc620
SHA1 hash:
0bb6e51bbd66dfa5afacf3e12ab9789252f2ff57
Link:
https://www.unpac.me/results/9e9d16af-e451-4d61-ad50-94fb63d3f002/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181673/

Comments