MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6
SHA3-384 hash: 9564f3db9abb30ee450fbde5aaac99d37bfd775c6a4635d01c1f8eeb4b851d53fcd7c569b8cc7787049f03f60800944a
SHA1 hash: a1cd75972717d411d6ecfb7f1a3f84b10db90b14
MD5 hash: 0be9d35f5a330ba1175740c08f1c0366
humanhash: single-three-potato-west
File name:0be9d35f5a330ba1175740c08f1c0366
Download: download sample
Signature Formbook
Create hunting rule
File size:637'952 bytes
First seen:2022-04-26 04:54:09 UTC
Last seen:2022-04-26 05:32:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:kTiy9yETH4MS+xq+1Gmznvy7p2xnYGhhoZRb5JmoN8FhC:Dy9jH4MS+xq+1GmznUAxnYGnoRfmoSF8
Threatray 13'837 similar samples on MalwareBazaar
TLSH T1EED4120BE325BA16CDBD0BB150A768914ABB7E675933BB4F12CC7F2589337C18627160
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266635/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.30748.24162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62677b0ae1f182a52a5ee553/reports/bdc6daef-51a1-4a49-b076-c1e643106694/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/219baed5-b070-405d-9621-25b66f674d0f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982919
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615406 Sample: QfyGp1rOWv Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 10 QfyGp1rOWv.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\...GWNxsWgWnlL.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmpCE41.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\QfyGp1rOWv.exe.log, ASCII 10->40 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 10->50 52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 2 other signatures 10->56 14 RegSvcs.exe 10->14         started        17 powershell.exe 23 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 2 other signatures 14->68 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 msiexec.exe 21->27         started        signatures10 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 30 cmd.exe 1 27->30         started        32 explorer.exe 1 134 27->32         started        process11 process12 34 conhost.exe 30->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6/
Threat name:
ByteCode-MSIL.Trojan.RealProtectPENGSD
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 04:55:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kztrhgaxj3p7vtjcs5c2jfb45zc4chsi5rb2o2hrne63gushc7ta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3859da72cd34fc9b4ebe2ff100a3d888845836f4945bf2bcdfb83d5d0d16508a
Formbook
5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
Formbook
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
Formbook
b28653e85b97fd93c5d893839290ff17e6a6eb748eba11c9ee11ec9884e35410
Formbook
c0e6b0b4e80d36f0872fe01ed20cc5a6d17083f6d11ff93cc5ccc841dd43aa33
Formbook
e740634fa7cca3715fa9eb7fa30892467e31d044ed6f661ad25dae49298862d7
Formbook
f8137858a6c349110aab09e2ecfd1c68d102b7b9b9809c7dcd2e1e8d2662f38c
Formbook
+ 13'827 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s4s9 rat spyware stealer trojan
Link:
https://tria.ge/reports/220426-fj4s5sbae8/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
652917a344da67f2f4ca4f3d702a6a33fa5c307a242d526cd239033c25f25b22
MD5 hash:
c80452d6ae421262a7d3741737080ce1
SHA1 hash:
16a4b35fa689145a61ec118623e97457690166bb
Link:
https://www.unpac.me/results/1b754670-ca0b-450c-ae5d-39fa881db03c/
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/1b754670-ca0b-450c-ae5d-39fa881db03c/
SH256 hash:
af0a77892100e4f393de70e2893d642e8caecfe3b8d0dda97cbe26b53ecab660
MD5 hash:
f22b1c84ce7151f2b1c3d96061ce63f0
SHA1 hash:
d18b9717bbe4aae9fac74baad7fbfa5c6955ee81
Link:
https://www.unpac.me/results/1b754670-ca0b-450c-ae5d-39fa881db03c/
SH256 hash:
5d6151c285d473e8648d4a06ac29ef6a0267a124cf586b483d4c897c8a99b11d
MD5 hash:
746b4d06c36ac62b133dac83ffa9a538
SHA1 hash:
ed219881ccb01f440abc4f60bfcf212de308facb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b754670-ca0b-450c-ae5d-39fa881db03c/
Parent samples :
90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab
56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6
SH256 hash:
56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6
MD5 hash:
0be9d35f5a330ba1175740c08f1c0366
SHA1 hash:
a1cd75972717d411d6ecfb7f1a3f84b10db90b14
Link:
https://www.unpac.me/results/1b754670-ca0b-450c-ae5d-39fa881db03c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56671398174e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2164426/
Cape
Cape
https://www.capesandbox.com/analysis/266635/

Comments


Avatar
zbet commented on 2022-04-26 04:54:12 UTC

url : hxxp://107.172.13.138/k/8g6.exe