MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5
SHA3-384 hash: 14d74757a792d14e99378d86d36b1593931832b540fbe99e5dc8c01c61c59e990ab5c35a524d9924e7d3f0bd8651461c
SHA1 hash: fdecca78304a9aedc0f5d6efee3af47507acb180
MD5 hash: 13774cf9011ed10f4949228b2ac857b5
humanhash: eighteen-table-georgia-don
File name:SCAN 9384799839893234 PDF.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:1'399'296 bytes
First seen:2021-12-06 13:17:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:y7DLP6yv6J3VNsLuN/1rCSfdmO5ADWeS0w09F7YbRYvouo:oLPvwDsKNtrCcdmOinSHKF7Ybvuo
Threatray 12'140 similar samples on MalwareBazaar
TLSH T1F0556A5C317024AFE83A853145540F779EF12C7E866B93CE721734AF8ABD9468F242E9
File icon (PE):PE icon
dhash icon 86e8c0c8ccd89ce6 (18 x AgentTesla, 18 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:bat exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SCAN 9384799839893234 PDF.bat
Verdict:
Malicious activity
Analysis date:
2021-12-06 22:58:16 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/09c5dadd-75af-4620-89ba-8eccef8e2332

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211788/
Detection(s):
SecuriteInfo.com.PWS-FCUF13774CF9011E.12931.14508.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ae0d90fa72c81b5b0e69f1/reports/1dfe3e43-5b6b-4324-804c-26004e213a68/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fd0ebe7e-2247-4025-9e41-8c8ef2271e8b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902276
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534754 Sample: SCAN 9384799839893234 PDF.bat Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected AntiVM3 2->40 42 9 other signatures 2->42 10 SCAN 9384799839893234 PDF.exe 3 2->10         started        process3 file4 30 C:\...\SCAN 9384799839893234 PDF.exe.log, ASCII 10->30 dropped 56 Injects a PE file into a foreign processes 10->56 14 SCAN 9384799839893234 PDF.exe 10->14         started        17 SCAN 9384799839893234 PDF.exe 10->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.hxdz2.com 154.86.55.104, 49774, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 19->32 34 www.honeywelkhome.com 19->34 44 System process connects to network (likely due to code injection or exploit) 19->44 46 Uses netstat to query active network connections and open ports 19->46 23 NETSTAT.EXE 19->23         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 23->48 50 Modifies the context of a thread in another process (thread injection) 23->50 52 Maps a DLL or memory area into another process 23->52 54 Tries to detect virtualization through RDTSC time measurements 23->54 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 13:18:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kx5k7ql7rsmjnulvcovycusdksgy4eykjcw4g32afi47zf2ou7sq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
6b808cf78989a505d346c7a9e3d8d571cec2c21fe0ef9b3c1f5e04bbad6be3c2
Formbook
8ddc14ac94185fbe27b3764fb4e24fd8c25626a465074e8f640955a6f3409c08
Formbook
90f9e8094fe8847f4b4521afafd5c5e59d4368ddc26a4f589730cd998520fd50
Formbook
a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d
Formbook
ae1c03af5639fe2515edf78971c8e322e4f5c271944da757583a2f2c372a4231
Formbook
ba3c756c27b44d1cb989c1107cbefadcaf40be4b8186f1a8e4641c264e6dfb42
Formbook
d5a298726b4735d30f3af5331c0a8dc948178a7a776c5961497ceb6fb64ea975
Formbook
+ 12'130 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a6rm rat spyware stealer trojan
Link:
https://tria.ge/reports/211206-qjyx1ahaa7/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.99moive.com/a6rm/
Unpacked files
SH256 hash:
b83fbfedc35a453ceb37dafbb2cab96625972e0b68b8146fa19d317f75120eac
MD5 hash:
06533dfde1d34bca3d4990cedce5d7d7
SHA1 hash:
1627782a8eea8af2a404459e736e7178a920b695
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6241c759-7bc4-4193-8652-a3272bc67f28/
Parent samples :
55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5
947e0314a5c24952596b1a6f8455e10c642ad0d3dc88a57bcef1ecbdf69d418b
2c8f4b4a178ea06cffe462e08ba5ddabb964cb715b9cdd4024c1b0f7bc7e78e6
SH256 hash:
183c9e1530b9b784403dadbebaaffac8aa68227308a503f74fc01e9a53014cab
MD5 hash:
cfc5e09fac278e2d71364752decdcc32
SHA1 hash:
8e9c79fc10f2cfdb275d56d5ff5902f581e1bf0a
Link:
https://www.unpac.me/results/6241c759-7bc4-4193-8652-a3272bc67f28/
SH256 hash:
fdb256a562c32e4a299bf1ab5f38488bd78bd0c60abc3c5eafdbc08edc0dd584
MD5 hash:
91883215a201aa7f0d63bd23ae41d20b
SHA1 hash:
2a2b588671a2cdfe3d2968279690e3911a86cc09
Link:
https://www.unpac.me/results/6241c759-7bc4-4193-8652-a3272bc67f28/
SH256 hash:
55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5
MD5 hash:
13774cf9011ed10f4949228b2ac857b5
SHA1 hash:
fdecca78304a9aedc0f5d6efee3af47507acb180
Link:
https://www.unpac.me/results/6241c759-7bc4-4193-8652-a3272bc67f28/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/55faafc17f8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/55faafc17f8c9896d17513ab815243548d8e130a48adc36f402a39fc974ea7e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211788/

Comments