MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0
SHA3-384 hash: 9c3736c6973661923db34ba51e90cb27cd3ddd8c49d6279c52d31e7c52f52d904e19a2f748bac84bd295d3df828079dc
SHA1 hash: 203f4f02fb55629a88144d71e912f508a2794bbe
MD5 hash: a6896919944929aa21d0bf14103d55b8
humanhash: fillet-wyoming-fourteen-table
File name:a6896919944929aa21d0bf14103d55b8
Download: download sample
Signature Formbook
Create hunting rule
File size:746'496 bytes
First seen:2022-05-31 14:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dxChnSWEF/kqsB+nymaxDnWpg3X+3kmXZPQNUMblIYbYz:uLEF/7XFax7Gge1JPIbFQ
Threatray 16'539 similar samples on MalwareBazaar
TLSH T12EF4011DF6F4CB22C2599677C0C365180371C912D662EB2B3F98ABEA1D0337B8D4765A
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6896919944929aa21d0bf14103d55b8
Verdict:
Suspicious activity
Analysis date:
2022-05-31 17:27:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d930acb4-241a-4e74-ab99-bbd9b645c5c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275748/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17043.4306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/629620177abe882a351cdf8a/reports/0dd692d4-aaca-4468-8d18-65270a4cc466/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cb8e5a4-12fd-4ba2-a759-a0159b5cfefa
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004331
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 636826 Sample: mic17yw3cj Startdate: 31/05/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 10 mic17yw3cj.exe 3 2->10         started        14 explorer.exe 2->14         started        process3 file4 32 C:\Users\user\AppData\...\mic17yw3cj.exe.log, ASCII 10->32 dropped 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 16 mic17yw3cj.exe 10->16         started        19 mic17yw3cj.exe 10->19         started        signatures5 process6 signatures7 34 Modifies the context of a thread in another process (thread injection) 16->34 36 Maps a DLL or memory area into another process 16->36 38 Sample uses process hollowing technique 16->38 40 Queues an APC in another process (thread injection) 16->40 21 explorer.exe 16->21 injected process8 process9 23 systray.exe 21->23         started        signatures10 50 Self deletion via cmd or bat file 23->50 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        28 explorer.exe 5 158 23->28         started        process11 process12 30 conhost.exe 26->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 14:03:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzeknjnbivn6nkfjzmnuc2vov3kb4t5ziv6vqep5psfv7ayy63qa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a4c2314615f2ebf7a71d3da4a70f421c604daa81c51abd4c7f3625ebdace7a5
Formbook
1c6a3fdbe07eca91bb067a9ba1c90bd87df0d94a0f8c9d870c792baa4a040c45
Formbook
41a777eaec8aab590f8f5cd6dce86bc1376b9eb61df1c9661cf0fd93f0d2d767
Formbook
84b0888a5a6938795c26a681435c52a25c16fe2d1e6230112df171024c8767df
Formbook
9677ba2c1b2c60c5d2807be7961625f56b6d319d050d4e04accdb55f5a080376
Formbook
b9531a6cb2babbc047c7bb0debb17d335b684e484e091ebcf85cb64490ed6537
Formbook
c6043c3c87526712c251385dacc61e443647d1dcca1e86ce411e69cb711c4640
Formbook
d6a8c5f4120e3be2e6d676d808dbdadc074f811398ac5b03878baba7275137d4
Formbook
+ 16'529 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:id17 rat spyware stealer trojan
Link:
https://tria.ge/reports/220531-rcnn5abdd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
9ce72950979db0359c91eefb13709a5dce3b7494726ce1b5d11983f3b72994d3
MD5 hash:
f9a69e3d0f8fe00c332119a70be09662
SHA1 hash:
e4ebece65ac00af97cf96950d5ddfbc0f9f44111
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
c83b114bfb8a02cf7513f56496639bc4cd4ab4609e9458b28aed7072543a3ccf
MD5 hash:
2d394e303168cd1e6b4b96622d4c6842
SHA1 hash:
2eebc416ed90ccb64d48e4650fe1b12d8d0842fc
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
72c90814a6be0731bb4c50925454dcbc3b6b47c4443f28d99e20b3c8cac8b555
MD5 hash:
425b8dbe5330c877092e920edafe1131
SHA1 hash:
428e534353e067cec930d154809bca3b97d24a0f
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
147c41a16502d80b3aaff0f32bbc6af50ad5350a7bf69f289f89d836c147e5d3
MD5 hash:
bb9065895a42c4371d0bed5027fb4983
SHA1 hash:
25a208c693f182f74f61192be1b04a1d50a465f9
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
fda7eb098e66d4972e05ef9ef8cde5149f4b8ccd65bf7545db1305db89b1111b
MD5 hash:
e09ebb92bfeb772ece38a12a65e08b18
SHA1 hash:
055296bc68beae33aed7480ec5590f8184951fd8
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
SH256 hash:
5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0
MD5 hash:
a6896919944929aa21d0bf14103d55b8
SHA1 hash:
203f4f02fb55629a88144d71e912f508a2794bbe
Link:
https://www.unpac.me/results/b6f6bf43-3f2c-4dd1-a4c3-0126a413f059/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5648a6a5a1455be6a8a9cb1b416aaeaed41e4fb9457d5811fd7c8b5f8318f6e0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2219218/
Cape
Cape
https://www.capesandbox.com/analysis/275748/

Comments


Avatar
zbet commented on 2022-05-31 14:02:12 UTC

url : hxxp://criticalmattermediation.com/k2/LY.exe