MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f
SHA3-384 hash: bcdcdde5580c81688693c2624a124faa79b1923d8ffcf64bd38aca7df7fea4a08a4797d1cd8cce54dc46caef8dc62e86
SHA1 hash: c91aa81d9b7d0a4875f58147cefe112172e81ea6
MD5 hash: 535d6d6b624c4b84d4a1059badfba799
humanhash: spring-berlin-speaker-early
File name:535d6d6b624c4b84d4a1059badfba799.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:481'792 bytes
First seen:2021-12-21 08:51:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qD/eG9u7LfiK03Uwlob0qjB/zaz7Ym53tGG:qSOuLaZUZjB/zaXGG
Threatray 12'383 similar samples on MalwareBazaar
TLSH T1A3A4E168E623E5F8EA2D037D79314C221FA5C556B499DBEE5A8571A20D3430320AFDCF
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
535d6d6b624c4b84d4a1059badfba799.exe
Verdict:
Malicious activity
Analysis date:
2021-12-21 08:56:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14d70427-f42a-489f-9e91-91cee9ccf1b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215613/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61c195b64ab5c44cbf4b4306/reports/ac221bc7-2e9b-40e3-a2da-39cb8c757649/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1825f8ce-c4b1-4046-b329-e216a77c8107
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910842
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543320 Sample: WbPO33PFF4.exe Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 35 canonicalizer.ucsuri.tcs 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 8 other signatures 2->43 11 WbPO33PFF4.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\WbPO33PFF4.exe.log, ASCII 11->33 dropped 53 Tries to detect virtualization through RDTSC time measurements 11->53 55 Injects a PE file into a foreign processes 11->55 15 WbPO33PFF4.exe 11->15         started        18 WbPO33PFF4.exe 11->18         started        20 WbPO33PFF4.exe 11->20         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 22 explorer.exe 15->22 injected process9 process10 24 svchost.exe 22->24         started        signatures11 45 Self deletion via cmd delete 24->45 47 Modifies the context of a thread in another process (thread injection) 24->47 49 Maps a DLL or memory area into another process 24->49 51 Tries to detect virtualization through RDTSC time measurements 24->51 27 cmd.exe 1 24->27         started        29 explorer.exe 124 24->29         started        process12 process13 31 conhost.exe 27->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 08:53:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kaxkxglon5l4rppr75idmtist2x6r25s2uygyrq3tktjjrmd3qpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0123fdb2e8de200e6fa07cd5c254771143b7d9fea4f6895077b4f609fc5ae1cf
Formbook
26b24cfe3b0bb84b26fc83ce689b74728ac61f32391772dcc76eab04cc7042b5
Formbook
3662913e3004f6e3811499a9877265b55fd4b99400607d2f4b4168dc2621f1ab
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
8e079aa4afe26627a784ac447071b5dcd460ba1393851199e21da312a6ff2f18
Formbook
90f9e8094fe8847f4b4521afafd5c5e59d4368ddc26a4f589730cd998520fd50
Formbook
a33cbeb94697eb2355ea92f44f065e52461adaf621ad548d066dc73d6d76eeb9
Formbook
d9563466b0112cc1d51196d5ea329e684cb3373f5fd75bdafec0210b3940b111
Formbook
e22a659b73048b31aba79fce8de22ddd5a287494b763fec8d5779869dfebbf31
Formbook
+ 12'373 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a9rn rat spyware stealer trojan
Link:
https://tria.ge/reports/211221-ksq1vscgc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
859260a506526e27f318edf18c5c6498e0e3ac42bcef750a52bdbb1f330416cf
MD5 hash:
c9e0ba6da4db2a279f5acb1e49a28659
SHA1 hash:
c0147c0dacfa737d73facd9b2deb31e6f1412c38
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4dd12251-49b2-40e1-bdf7-4dc3de99e09d/
Parent samples :
d9563466b0112cc1d51196d5ea329e684cb3373f5fd75bdafec0210b3940b111
502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f
SH256 hash:
cd3d37426d74bd9d2c5a78a9bf59061e6f62724fb86106833195c6e378e53c0d
MD5 hash:
6d491171a660c8f1415687c5e1c268d4
SHA1 hash:
9f465eb874c4cfe94d7f5f33e8d938481752c15e
Link:
https://www.unpac.me/results/4dd12251-49b2-40e1-bdf7-4dc3de99e09d/
SH256 hash:
cc863038dfc58d37276a1f1cb952870d6a2cd81a7ac72d3ed7021e5c5aa1c8f0
MD5 hash:
2c5570f3b591aa1fd57f5ec62ab89b76
SHA1 hash:
7a451b030d1acef0a149e333ba9df225fc5494d1
Link:
https://www.unpac.me/results/4dd12251-49b2-40e1-bdf7-4dc3de99e09d/
SH256 hash:
502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f
MD5 hash:
535d6d6b624c4b84d4a1059badfba799
SHA1 hash:
c91aa81d9b7d0a4875f58147cefe112172e81ea6
Link:
https://www.unpac.me/results/4dd12251-49b2-40e1-bdf7-4dc3de99e09d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 502eab996e6f57c8bdf1ff50364d129eafe8ebb2d5306c461b9aa694c583dc1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1902350/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215613/

Comments