MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
SHA3-384 hash: bc52f7447093bc75b0c1068c2b35ab554417c4a31b9d38209d92be870e50b89521f791c692000b96377de05106c20103
SHA1 hash: 35efb5dec83f1a802b05c6d8f6a1046a4dc9c14e
MD5 hash: 75148a48554bf658b5bca72fd77b69ed
humanhash: sierra-sink-pizza-undress
File name:ROCA 4501226854,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:679'936 bytes
First seen:2022-02-03 12:02:40 UTC
Last seen:2022-02-06 14:44:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ELGSDInWnA0+rjumRpcasoOnkk34kr5oR9FMBh+OQhNOi:K4u75VE
Threatray 13'065 similar samples on MalwareBazaar
TLSH T11EE4CD2A38BA100DB2719D6C6BBCB1B6911EF7F226365CBB0DF7050611129F0DB9D627
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ROCA 4501226854,pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-02-03 12:07:09 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/49bdb030-231a-4fad-93ae-7032f1b1d6e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/232164/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb9480a4-309b-4796-baa8-1e0fbcb35212
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933277
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 12:03:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5ipbic4sk76gmr7xhq6hqywurhacm4ltyxqf5ajsqsmhy33zdga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
786698eab83f77c1fdc3d37daf49966befe788b0e85167083726354225176d1f
Formbook
89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
Formbook
8bad1870cc1ed1ea03923d7b427c31ed9e0266a0b8d0fea1cf6e6190c94ce46c
Formbook
9e6a92df11bb23b335d5bbf85731a1ea96f6c4038a24c2e4edb28e2169804c30
Formbook
adf7fa31e3f65111c002c0cd54c049a05c2327a7d9956f41aa7c7f0f069d4263
Formbook
cfd1a77378decd68cd7a59307b77b93247bdd91e00de5111ecae6b5658c8665f
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
+ 13'055 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:c0a7 loader persistence rat
Link:
https://tria.ge/reports/220203-n72mpaggb8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Sets service image path in registry
Xloader Payload
Xloader
Unpacked files
SH256 hash:
cb1394d16894be7b9488b629afb19674f84d216c1117e68975f94452dbaec74c
MD5 hash:
9e3cfde2483b22fc8fd53bf100daa9b8
SHA1 hash:
5234960821495aec0a74dc440568366b8d9c225e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a0545e14-15a4-43ef-9479-0439a6e82b9d/
Parent samples :
5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
ccf47d9fd0a0ddce06c265b87f0e2377bb58107c18659ac908b7e3a5731ad081
f477ff9ff2a431f168d2defd7c9b62ae9f0648488e9977479e407468d5cdce1e
a73fffb5cb53f03b1a59a712cf34a8b156f1dec4a8c2757a475431edc659e6aa
f84b362a10ce6a355e3d48e602f672416acddab0194b1dc0ffaa01213bf28d2a
SH256 hash:
238b0eb59527f6d14264ef951711300d8f89ee1bfb1147b3f8ce920a6a322b73
MD5 hash:
4c7f79558918e152d4d543b1253943d8
SHA1 hash:
e3896cb358fb3ffe4c727ed2032885ed11738d56
Link:
https://www.unpac.me/results/a0545e14-15a4-43ef-9479-0439a6e82b9d/
SH256 hash:
5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc
MD5 hash:
75148a48554bf658b5bca72fd77b69ed
SHA1 hash:
35efb5dec83f1a802b05c6d8f6a1046a4dc9c14e
Link:
https://www.unpac.me/results/a0545e14-15a4-43ef-9479-0439a6e82b9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5750f0a05c92bfe3323fb9e1e3c316a44e01338b9e2f02f4099424c3e37bc8cc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/232164/

Comments