MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9
SHA3-384 hash: b88dc4c8c4535b2bd2c8cefa038947f5251a6ac99a5de45e76e08cd7fa7beda270fec7d0833e9e18388767a71b9e554a
SHA1 hash: dda88a5c128e8b48fdc32763e995a6e1959abd39
MD5 hash: 85b1058296957916727df251dcab1236
humanhash: yellow-stream-artist-seventeen
File name:Draft Contract - Chinese Language.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:964'608 bytes
First seen:2021-02-10 06:22:42 UTC
Last seen:2021-02-10 08:24:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:yhttk9rcn+BL+x9MhI2aWQoCDbJALVjfBeB5q:CtU3iIcWNCZALIq
Threatray 3'787 similar samples on MalwareBazaar
TLSH 8D25BF2DF519A735F0687A7A84B1933086AEDC125512EA3E3ED9329F4971BEC40D7F02
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Draft Contract - Chinese Language.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 06:24:53 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ce05552a-f9eb-42cb-9a83-7fc63688f803

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116355/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45708062.9155.27886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/603897
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 06:23:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbpwi43hssoyx5xymnxsrjbxnqjf2x3nf7v4q64t4jyhkad3axeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854
FormBook
3aa4e025334bf046fc081743e11b2706827f2f50dbe50d43909c63d3de90edfa
FormBook
49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a
FormBook
4cd5fc82f7d1094ebe188a372dd682d24083ea423f0b49a057cfacc0af849ac4
FormBook
57f501264360e52cdc77696ff96c77b47ecad9ceb41cd0210cf2f3809bebafc8
FormBook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
FormBook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
FormBook
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
FormBook
c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54
FormBook
e56fe870da3015a5537b82acf5b9228953cafa74235b5c9257eaf049a6045cc6
FormBook
+ 3'777 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210210-jdqkvetben/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.entrustedhomeinspections.com/xxg/
Unpacked files
SH256 hash:
beac1f2d950ef2733c5c06d903f2747fbfc84eee92e17b908f5284cb10d8705d
MD5 hash:
985a0eecbc0823d16b4a3242731a19d1
SHA1 hash:
5412004b543ea8ecad5cd7aec4c726c10acf79ed
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/24db85ab-d09c-4f35-9ed1-394e99ad432f/
Parent samples :
12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854
505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9
SH256 hash:
d8d2e8dd381a578e992050a249a09e8e5c427475d99c2bbf95c4b88de1fddd31
MD5 hash:
03e53273cd7a7b334a4333ad1ffd59da
SHA1 hash:
a7e1b8b31b318df90622213ddb56bd2268255124
Link:
https://www.unpac.me/results/24db85ab-d09c-4f35-9ed1-394e99ad432f/
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/24db85ab-d09c-4f35-9ed1-394e99ad432f/
SH256 hash:
505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9
MD5 hash:
85b1058296957916727df251dcab1236
SHA1 hash:
dda88a5c128e8b48fdc32763e995a6e1959abd39
Link:
https://www.unpac.me/results/24db85ab-d09c-4f35-9ed1-394e99ad432f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

ace 683360abc9273cf1bf058dff26e14550987ff5bb2cab8d6e56b7139bb97f4328

FormBook

Executable exe 505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 683360abc9273cf1bf058dff26e14550987ff5bb2cab8d6e56b7139bb97f4328
Cape
Cape
https://www.capesandbox.com/analysis/116355/

Comments