MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33
SHA3-384 hash: ebefe722ffdb63d04d8299cd34ed54ef4275bd3f98d57469e18e81ca5d42bf038a7108d9bf86fcc41f04ae6aa1fe4c82
SHA1 hash: 7ca1fc89acd56f314dae7e8ba0e41227ca342f7d
MD5 hash: 48f264ba784a88ef38095ab61b7caa55
humanhash: october-charlie-hamper-mountain
File name:48f264ba784a88ef38095ab61b7caa55.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:243'825 bytes
First seen:2021-03-31 07:38:09 UTC
Last seen:2021-03-31 08:50:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:PAPjd+LCu3vIf+lGWhtHhg439jvk9m+7aT:WklAG88t2u7uJW
Threatray 4'437 similar samples on MalwareBazaar
TLSH 6734121621E2CBBBD1128A323D36AB76B7FD8014431226D71FB49F170D22252DE563AE
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
48f264ba784a88ef38095ab61b7caa55.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 08:00:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c8396b11-0309-4746-8149-c12684de965a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129217/
Detection(s):
SecuriteInfo.com.Variant.Jaik.44831.4268.7205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659859
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378859 Sample: 2QHrjoM9fc.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 2QHrjoM9fc.exe 11 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\qhgs.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 2QHrjoM9fc.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.namedfollows.com 198.54.117.244, 49765, 80 NAMECHEAP-NETUS United States 17->30 32 www.spartacleaningservices.com 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 07:38:57 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5k7lgfgnneuu5usx7x5p7zurv6r3cxg7xl6pgn57z7wzp3efqzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
024c67bdc81850f0d4acf648be1016358c78e21a74dbde96b0d753cffd76ffa7
Formbook
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Formbook
720ffc99aa96c665aae27db46f776476c37ca113db207790579adfd81c73ad05
Formbook
851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376
Formbook
8ac1fc19367861f3a749d801300f554148e36a0e8a4f4cce3c5d3e4de43e4279
Formbook
b080dca77a9e352f8bf013f459f8b0195bfa5d1ea5d2b748d15339cf3f980d78
Formbook
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c
Formbook
f61ea12383c210bd9db6f0148321bfbc36b24c7b55197cbafef0ae23cadd9b9c
Formbook
+ 4'427 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210331-lzpzjs2k7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.stockproductionmusic.works/gzh/
Unpacked files
SH256 hash:
0f9f72560f0cbcd15e41dbdb612aed3df09d72a5274a6c954a17288d781c8a36
MD5 hash:
7b769150b4982904050df82beb9582db
SHA1 hash:
ff2d8ff6c0d98cd6cb1875b35e49c8e7ae9c4049
Link:
https://www.unpac.me/results/a804c909-e4ac-40d8-842e-2e3ddbeea0d9/
SH256 hash:
5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33
MD5 hash:
48f264ba784a88ef38095ab61b7caa55
SHA1 hash:
7ca1fc89acd56f314dae7e8ba0e41227ca342f7d
Link:
https://www.unpac.me/results/a804c909-e4ac-40d8-842e-2e3ddbeea0d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5755f598a66b494a7692bfefd7ff348d7d1d8ae6fdd7e799bdfe7f6cbf642c33

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/129217/
  
URLhaus
https://urlhaus.abuse.ch/url/1098226/
  
Delivery method
Distributed via web download

Comments