MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145
SHA3-384 hash: 2fb16962aa7579608fbe80eaad5cf10d54968e47753c4ca8a3f239309c5eb44c20b6675e07d38381c9d8afc666c6805e
SHA1 hash: c235d77b7a7599a83d022a11044518e9529899fc
MD5 hash: b79f94be889635c51ef96a70d69ca79e
humanhash: lemon-west-burger-freddie
File name:PO_210205.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'153'984 bytes
First seen:2021-02-05 05:12:16 UTC
Last seen:2021-02-05 07:08:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:uvko1tPqh6HIeSERlDNfUMR/esuXHZAWd7QC50l1kWGPW:uMxKlDh3uXpd
Threatray 3'750 similar samples on MalwareBazaar
TLSH 4FA5C49D365077DEC81BCE368A681C64EBD0787A870BD20790A31AEDEA5D957CF140F2
Reporter Anonymous
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_210205.exe
Verdict:
Malicious activity
Analysis date:
2021-02-05 05:06:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/021d51a3-0476-4b4f-9c7b-4a4cfb95702b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115701/
Detection(s):
SecuriteInfo.com.ArtemisB79F94BE8896.24337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/599986
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349017 Sample: PO_210205.exe Startdate: 05/02/2021 Architecture: WINDOWS Score: 100 37 www.jncwjzgc.com 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 8 other signatures 2->51 11 PO_210205.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\tmp2081.tmp, XML 11->33 dropped 35 C:\Users\user\AppData\...\IJmlJvrZxm.exe, PE32 11->35 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Detected unpacking (overwrites its own PE header) 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 15 PO_210205.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 39 centretabacstop.net 109.234.162.61, 49739, 80 O2SWITCHFR France 20->39 41 www.stockbrokerpotential.xyz 107.150.35.42, 49742, 80 NOCIXUS United States 20->41 43 6 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 26 systray.exe 20->26         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 05:13:05 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7h2t26d6ew3e6prga6o77eg4o5duesql54h3bct6iadayyz4fcq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d41517fe048b21edfd59458b0dc8966e53daacdb7e7c5a7bdc7dab5bf233bd1
Formbook
7843242690547cf0b4ebea118783c903b99c3a211f1775db3cf24b09fbe2454a
Formbook
805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
Formbook
82c118d71fb0433b051b37a040f31f2455ceb3ddd01b7d314cf6b1f4648d454d
Formbook
898746d8c0bc244b1a1b7ad40e440bc2ea3ad1f058c5782e4d043ff61add8235
Formbook
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
Formbook
99aae5746d65a99f7d5f1f289d0acebde486e580abfe29976806204b23de6b8d
Formbook
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Formbook
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
Formbook
ded4435057919aa79f8453db4172ffd89198323fa247e70daa418a7a21136df2
Formbook
+ 3'740 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210205-n1kdj4rmta/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.adamjbrowne.com/knb/
Unpacked files
SH256 hash:
e36c54384773ca50c45fdad601274ff6c084487c4e5894316e25b6a8c0a3350c
MD5 hash:
81ee3caeeb544096a33c16da69679371
SHA1 hash:
ea706a60f5299116512e2a657cfbb49edc447c70
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/15e3fd3b-e62f-42cf-b217-f7383f7b33be/
Parent samples :
0d41517fe048b21edfd59458b0dc8966e53daacdb7e7c5a7bdc7dab5bf233bd1
99aae5746d65a99f7d5f1f289d0acebde486e580abfe29976806204b23de6b8d
82c118d71fb0433b051b37a040f31f2455ceb3ddd01b7d314cf6b1f4648d454d
898746d8c0bc244b1a1b7ad40e440bc2ea3ad1f058c5782e4d043ff61add8235
57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145
SH256 hash:
c6996e3f066ad4618d3832382a517f67dbcf5e655d038d405e6921a80052b7a3
MD5 hash:
330fdbd3d33a07f62812a94e4017d031
SHA1 hash:
47910b995e5368c6031e01d8cb5944f5db531518
Link:
https://www.unpac.me/results/15e3fd3b-e62f-42cf-b217-f7383f7b33be/
SH256 hash:
d78b9ab03e0c837b064e1ce91bfc3ba210c1c1193c2979e700f90d50752adf59
MD5 hash:
87c3ff4761c781ec2073f672674bb04f
SHA1 hash:
0f65e6cd4a3fcd7f00c321ba152e5dc405ae4790
Link:
https://www.unpac.me/results/15e3fd3b-e62f-42cf-b217-f7383f7b33be/
SH256 hash:
57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145
MD5 hash:
b79f94be889635c51ef96a70d69ca79e
SHA1 hash:
c235d77b7a7599a83d022a11044518e9529899fc
Link:
https://www.unpac.me/results/15e3fd3b-e62f-42cf-b217-f7383f7b33be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57cfa9ebc3f12db279f1303ceffc86e3ba3a12505f787d8453f200306319e145

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115701/

Comments