MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6
SHA3-384 hash: da5ffdfa3c1d7095eb3fe613571afa64ec81ac8ebeb293c90f2eb9fa7bfc6c31464fd476ec8d986f14eaa8efb38edc2b
SHA1 hash: cb466992514ba4541bb7776ce0fbdfa75840028e
MD5 hash: 3c1181489ccff99bc9b8cda800381525
humanhash: bakerloo-white-butter-kitten
File name:Yeni Satinalma Sifarisi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:811'520 bytes
First seen:2021-09-16 12:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91f41270d021c09d2e59583bf5cdff98 (5 x RemcosRAT, 1 x Formbook)
ssdeep 24576:W0WE0AyOVWoKcwdZOGIZHrIzvlZwXI7Dyj3SaH+MJu:W0WEoQhudZJ
Threatray 9'296 similar samples on MalwareBazaar
TLSH T1D9056B869570583AF09E25796C9BBBEC950CBC807A29EC3462BDD87B35213C03DAD15F
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter malwarelabnet
Tags:exe FormBook formbook modiloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Yeni Satinalma Sifarisi.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 12:12:01 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/8922d4b3-0f3b-404e-9c15-a1b6fa2fdf5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188412/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.29888.4200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6175222adb358dd15ed926c5/reports/d3509046-da4a-4bfd-a479-163a0479696e/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa1809b9-20e4-4321-be5e-ec148b3ad689
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852037
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484468 Sample: Yeni Satinalma Sifarisi.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 Yeni Satinalma Sifarisi.exe 14 2->10         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.134.233, 443, 49753, 49754 CLOUDFLARENETUS United States 10->32 34 192.168.2.1 unknown unknown 10->34 52 Writes to foreign memory regions 10->52 54 Creates a thread in another existing process (thread injection) 10->54 56 Injects a PE file into a foreign processes 10->56 14 DpiScaling.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 packapp.net 84.34.166.69, 49835, 80 TSF-IP-CORETeliaFinlandOyjEU Finland 17->28 30 www.packapp.net 17->30 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 01:08:48 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfc7c5m6pg2nffsby3daifz3boxcupl3cvvut2gcm7nghygnstla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a7126ebae2322bac10b972bd00d62687e5f5e5b7f59c6ab63b9310180f3ce4e
Formbook
3da43dfd3613eeaf2ed56f10624f2dabdb80948c842c98fd0e26688fe55728a7
Formbook
4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
Formbook
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
Formbook
7d0cc599bf46f1b454dc8a9c5abe86f6ba3c97032f153864513b98ccde3bc0cb
Formbook
87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
Formbook
c839e1036e4c8c7568d66cfb7c269ab8ed8048f9fc5a89464d82572a6efc1c28
Formbook
caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
Formbook
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
Formbook
+ 9'286 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210916-pck7wsgbdj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/34fbce0c-2bf8-4821-ad1b-8cb85f0df0cc/
SH256 hash:
5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6
MD5 hash:
3c1181489ccff99bc9b8cda800381525
SHA1 hash:
cb466992514ba4541bb7776ce0fbdfa75840028e
Link:
https://www.unpac.me/results/34fbce0c-2bf8-4821-ad1b-8cb85f0df0cc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5145f1759e79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5145f1759e79b4d29641c6c604173b0bae2a3d7b156b49e8c267da63e0cd94d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188412/

Comments