MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1
SHA3-384 hash: 45918e7b0c7194bee8a24a388bc479f2673d6c3eccd2ecf6ff96c30011cb1084def158b1337b8fa3246099688231ea21
SHA1 hash: 16b1ce9d404faeafe15f4bc2d60ab3d59c173164
MD5 hash: f8a2a66cb7f5ff9cd74bb2071a2753a1
humanhash: hamper-grey-ten-michigan
File name:f8a2a66cb7f5ff9cd74bb2071a2753a1
Download: download sample
Signature Formbook
Create hunting rule
File size:907'776 bytes
First seen:2021-06-23 07:43:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:m136HhlM9c+YsxKdeVnGgUGdJGCf7Xi2:U6Hh90VnGgUuJvzb
Threatray 5'974 similar samples on MalwareBazaar
TLSH F7159E3026A57F1DF57AE738AAA521D5D7F6FA13E302DC9C7DE102CA0562E40CB60927
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e3f2f005659153043a0bae492bd8dce6e583f0037eb59349bf649c6e3c864504
Verdict:
Malicious activity
Analysis date:
2021-06-23 05:54:28 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/e3c46b55-ad70-40dd-a99a-f73080d2c33d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167764/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader39.59262.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd30df0e-0b08-49af-aee5-ea3fd0b8fe84
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806453
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438864 Sample: hWX4qGFdQr Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 9 hWX4qGFdQr.exe 3 2->9         started        13 explorer.exe 2->13         started        process3 dnsIp4 28 C:\Users\user\AppData\...\hWX4qGFdQr.exe.log, ASCII 9->28 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->58 60 Tries to detect virtualization through RDTSC time measurements 9->60 62 Injects a PE file into a foreign processes 9->62 16 hWX4qGFdQr.exe 9->16         started        19 hWX4qGFdQr.exe 9->19         started        30 www.icuvietnam.com 123.31.43.125, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 13->30 32 www.gorillarecruiting.com 13->32 34 gorillarecruiting.com 34.102.136.180, 49739, 80 GOOGLEUS United States 13->34 64 System process connects to network (likely due to code injection or exploit) 13->64 file5 signatures6 process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Sample uses process hollowing technique 16->40 42 Queues an APC in another process (thread injection) 16->42 21 control.exe 16->21         started        process9 signatures10 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process11 process12 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 07:44:13 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049f2bcbaa6d18cf9ee22b12c47ba8578c938d04df6d35a3c4cd3ed81fdcf4ab
Formbook
0c0bc5227a0bb8385d2afc010559324b249fbc6a510f2a25c75a93cee924e841
Formbook
17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad
Formbook
1bb79d3f58130c38c2d1c54737aaa69bfdf5693cf6177efaac78377020b86ad6
Formbook
35880c5210af5dca3edc22a693ab5f0cfcec0105cec988d930ab29fe09bd3461
Formbook
38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Formbook
8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7
Formbook
e65ddcb1e8d85b5d13ab1aaf5d9747feea1e3e442ed82773640d740627f4d7ca
Formbook
f10508b4bd982e597771e6128fede0b532c42cb799ac495c922940c27a942dbe
Formbook
ffeb538e279b53ac314ec71da8a83ffd3693cf31cd3705e23579c7f20d182de6
Formbook
+ 5'964 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210623-yavgla9l5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.yellow-wink.com/nff/
Unpacked files
SH256 hash:
e7731d4b4ccbe343e96c9cb7f29805f79cc4ea8ada61003403a8d86542ebeb48
MD5 hash:
af1bcfa3c2658dcaa72197c6c8537f05
SHA1 hash:
bb7d7153e366a924115a8b78573aad1d728960c2
Link:
https://www.unpac.me/results/d3175373-4d30-4efb-b593-cb6ddf07fe65/
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/d3175373-4d30-4efb-b593-cb6ddf07fe65/
SH256 hash:
cefb4fa9d8f118ece98e8e9da00644e3d086058903f64721335b513af69b0892
MD5 hash:
7413d26f5700cfee7acdf5c6f5c5d89c
SHA1 hash:
05906b80d83de78d0bee721893f69be0ceb608a9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d3175373-4d30-4efb-b593-cb6ddf07fe65/
Parent samples :
e65ddcb1e8d85b5d13ab1aaf5d9747feea1e3e442ed82773640d740627f4d7ca
55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1
5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32
a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
a53a4c82477eada893191662cf4ab4b3f44d1da7cae9ea8a7de3f859a424292b
e2c11a82ce76ab32b7033c6d47081c6c44fe2288211fe0af6202f3333196cbe6
SH256 hash:
55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1
MD5 hash:
f8a2a66cb7f5ff9cd74bb2071a2753a1
SHA1 hash:
16b1ce9d404faeafe15f4bc2d60ab3d59c173164
Link:
https://www.unpac.me/results/d3175373-4d30-4efb-b593-cb6ddf07fe65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1390689/
Cape
Cape
https://www.capesandbox.com/analysis/167764/

Comments