MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
SHA3-384 hash: bb71921d9c1e2b00db6b21fe0a045c2ca2bb7bac4a51ea15cd220c8e60a10122bd6137a2486b431f1be11fc4a75a5329
SHA1 hash: 8826f96cebeed2648ec759c7b95d2259bfe06dd8
MD5 hash: d4893db0fc3dc1bae3639923442b7187
humanhash: quebec-fix-floor-aspen
File name:d4893db0fc3dc1bae3639923442b7187
Download: download sample
Signature Formbook
Create hunting rule
File size:760'320 bytes
First seen:2021-06-22 02:22:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:r5XbyWFHmsSL69bA3qBIYmcvDq+HpfgoEWiumPEPO6dEmtU6yBHhU:rNpHw29A3q2YmcrqYp/niuGE2OBtF
Threatray 5'892 similar samples on MalwareBazaar
TLSH 57F4BF3039EE610DF577AE781AE436E29A7F7E677B07995C24D4230A9723842CF41938
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://urlhaus.abuse.ch/browse.php?search=exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 01:51:31 UTC
Tags:
opendir loader trojan lokibot stealer formbook
Link:
https://app.any.run/tasks/949dcf7e-79e5-480d-bcc6-e176b0c1da10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167417/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.858.29913.24939.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/315b4068-2f23-40ec-97ad-3b69d7813a4a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805695
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438106 Sample: qlqgHTRySR Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 8 qlqgHTRySR.exe 3 2->8         started        12 explorer.exe 2->12         started        process3 dnsIp4 28 C:\Users\user\AppData\...\qlqgHTRySR.exe.log, ASCII 8->28 dropped 44 Tries to detect virtualization through RDTSC time measurements 8->44 15 qlqgHTRySR.exe 8->15         started        30 www.treepik.com 12->30 32 www.onlineshreecollection.com 12->32 34 2 other IPs or domains 12->34 46 System process connects to network (likely due to code injection or exploit) 12->46 18 WWAHost.exe 12->18         started        20 autochk.exe 12->20         started        22 autochk.exe 12->22         started        file5 signatures6 process7 signatures8 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Maps a DLL or memory area into another process 15->50 52 Sample uses process hollowing technique 15->52 54 Queues an APC in another process (thread injection) 15->54 56 Tries to detect virtualization through RDTSC time measurements 18->56 24 cmd.exe 1 18->24         started        process9 process10 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 10:44:19 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5d4c17f9ea28e3df3efa9d9c7ba40444abeee049fe999eb2d579c6cf4ccc3231
Formbook
5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
93d053f43313cccae2d3f9d00b4556429a63efb104b97e08967da8569fa2ff82
Formbook
94827e12d128626a8d64286432a73293f76cb45c1f523ff0ad7e67b90802a123
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
abe3945460e661e29e3e235bda3144691f263414e49e0976b67d752166274565
Formbook
dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512
Formbook
e5561555b0be45246e4ce5418a203d5a0d800595de770d772d0d86d0ed2662bb
Formbook
+ 5'882 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210622-gz6hv7h4ae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dragonpalcenk.com/k8n/
Unpacked files
SH256 hash:
6f50f7e43344f1aac5fdec715b5853ad2e7745ae7d7ffd5a2e7df78fcdc3cad9
MD5 hash:
6622d21c33e48c89d38848235d30af77
SHA1 hash:
4f390709de12eac9aa5c393175aa88687f5cd977
Link:
https://www.unpac.me/results/4d3622f5-7c20-4c63-9435-848e67340a16/
SH256 hash:
a6b7a8e26e7ee410b431ee7d20ff90e40497509c5ec735ac7e9b2630ecc12365
MD5 hash:
82fd894d686f0adb1888821f20d7fd2a
SHA1 hash:
95821b339429f5e96c5bd484d26aa26c0bb31cf2
Link:
https://www.unpac.me/results/4d3622f5-7c20-4c63-9435-848e67340a16/
SH256 hash:
a2aaf9064d161919fbcbb6932210370dce36ffd64d6a960b47dbddfaca3dcb25
MD5 hash:
2707aeb8e691efe7687a4d3f0596433a
SHA1 hash:
0c93f6efc025d01ce676fc4d970bffcae34d783b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d3622f5-7c20-4c63-9435-848e67340a16/
Parent samples :
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
SH256 hash:
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
MD5 hash:
d4893db0fc3dc1bae3639923442b7187
SHA1 hash:
8826f96cebeed2648ec759c7b95d2259bfe06dd8
Link:
https://www.unpac.me/results/4d3622f5-7c20-4c63-9435-848e67340a16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:korean_malware
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1386838/
Cape
Cape
https://www.capesandbox.com/analysis/167417/

Comments