MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f
SHA3-384 hash:	c3780f47ed7740d3134cbbce0fa1c02a65e413b7a54ea9c106912b7d5a7184bcd60a4f536a5cf7155085cb92a42f5df7
SHA1 hash:	286f0077e64ebb83e306819f7aee6b30f819224c
MD5 hash:	5a300a9696b788aaaa56009c6a469fa5
humanhash:	hydrogen-burger-solar-india
File name:	Australia new order.scr.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	937'984 bytes
First seen:	2022-04-11 15:09:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:6/tzWIp5474UcrnfI+4cS7Bt9izt6UtXZLbdwIWJRqh:6/xFBUjcS7BtAzt6apLxwIWO
Threatray	15'017 similar samples on MalwareBazaar
TLSH	T10015F011F6729A06C97C4EF398A14A9B5B30C811D010D2CB3BF9358EDA62F973D7925B
File icon (PE):
dhash icon	71e89ebab2aeec70 (14 x AgentTesla, 13 x Loki, 13 x Formbook)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Australia new order.scr.exe

Verdict:

Malicious activity

Analysis date:

2022-04-12 01:02:32 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/57487fab-8dfd-4571-b95d-663a7fe03fba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262736/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware obfuscated packed remote.exe replace.exe update.exe

Link:

https://www.filescan.io/uploads/625444b004b81dabe281aa90/reports/24047d5a-8388-4b55-a5df-708ad541df42/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd753382-90ce-4572-bfa2-aa56e5fc7132

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/974704

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Sigma detected: CMSTP Execution Process Creation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-11 15:09:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kbgcvb27rihqxhhupvykupzs335a4o3g6qb743wmxjhytn6mg6pq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4c5d57b063eeb8b59a0d22007e4698b75e7f16d2144636fd0610661a733b5b1b

Formbook

6c508beda564432a5658a9a1a1ef8061971195cc9ad84fba7c38db9b65450eab

Formbook

76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6

Formbook

af3efb1470cc4818ac5cc03b516aa833df1635a311745b78b58406b46886ad04

Formbook

dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a

Formbook

e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee

Formbook

f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4

Formbook

+ 15'007 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:s16r rat spyware stealer trojan

Link:

https://tria.ge/reports/220411-sj14gaahb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

dba88743bd48da8979345d7fb414a23e693ea124f9bad75c18c9496fbbf4942c

MD5 hash:

06ee9717e415654f0daf2ac073e175a5

SHA1 hash:

774f649c6aaa48fb6a1a676902b821bc16a09601

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/345089d8-3fc0-4444-bba9-b2cc48ce9e5f/

Parent samples :

24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4
dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a
76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6
e6d85a6287cb583fc5dec0b47a3288d9d0bed8e103991797b14a0e16ab41a9b4
4c5d57b063eeb8b59a0d22007e4698b75e7f16d2144636fd0610661a733b5b1b
668deaef1d8c72ce98a734831d2fa70a27e85948c497d5f980c7d8236416fc52
6cc892ee85c0247a54d6329b73857fac9d20b9b76d6b4d360fe5c752a0983180
710cf8f0a914a5baf6d61323ec2f33babc05c1374f4ae3fa8a2b04099c8f1b7f
e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee
f71ffb7f3aa8f472021605310da900b36925efcf3f2965b6e541f0aaab4eb1c3
7b019b56698280d4c945147470334d6a5dea23d758713028d21bcfe34d4f0123
504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f
dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6
29a4e548415db316b3e1eea470848a8f339d93afa5bb47cbb357b42a95d5e350

SH256 hash:

007694272e71c5aa5e99bee9e6f9a48bd591a5f1d84f7e4d82b86d32570815b0

MD5 hash:

df10f342c5a36206cae9c53f0fbda9dd

SHA1 hash:

fc0e8645a7ed3fe8eb6a6ec45e34753baa2b1461

Link:

https://www.unpac.me/results/345089d8-3fc0-4444-bba9-b2cc48ce9e5f/

SH256 hash:

c18e1fa1b0d4337b319aa9e14eb1821ab0ee61ff1f3685cf6bc7026ed2b225a8

MD5 hash:

907b061745d279d1a5d43dbbb7fc6d39

SHA1 hash:

905aaa3a3b7d03cc1dd8a2029f037e185072d8d1

Link:

https://www.unpac.me/results/345089d8-3fc0-4444-bba9-b2cc48ce9e5f/

SH256 hash:

df49e150fdb038d148ab14114192ec2f05f772a945db43caa7cad34b70470c95

MD5 hash:

7daca465eb298cada81cbf635d4c1407

SHA1 hash:

6b370307eb2cc1ce2b1c569c0a2a63f8b74dbcd9

Link:

https://www.unpac.me/results/345089d8-3fc0-4444-bba9-b2cc48ce9e5f/

SH256 hash:

504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f

MD5 hash:

5a300a9696b788aaaa56009c6a469fa5

SHA1 hash:

286f0077e64ebb83e306819f7aee6b30f819224c

Link:

https://www.unpac.me/results/345089d8-3fc0-4444-bba9-b2cc48ce9e5f/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/504c2a875f8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/262736/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample